Notice of OpenAM security vulnerability and product updates [AM20141106-1]

Announcement of product updates

We start to provide updated versions of OSSTech OpenAM 9.5.5 / 11.0.0.

Please apply the corresponding updated version that includes fixes for security vulnerabilities.

Vulnerability Details

The following security vulnerabilities were found in OpenAM. We recommend a package update in order to deal with the vulnerabilities.

  • DoS vulnerability of session forwarding
    Affected versions: OpenAM 9.5.3 or later
    Severity: <Critical>
    There is a denial of service (DoS) vulnerability in the above versions.
    If more than one OpenAM server have been configured for redundancy, it is possible for an authenticated attacker to send a request that triggers an infinite forwarding loop between the servers.
  • XSS vulnerability in Secure Attribute Exchange (SAE) end point
    Affected versions: all versions of OpenAM
    Severity: <High>
    There is an XSS vulnerability in the SAE endpoint in the above versions.
    This vulnerability can be exploited if SAML IdP and SP are configured using OpenAM and SAE is used.

Non-vulnerability fixes

The updated versions include other non-security related fixes. Please refer to the corresponding release notes for details.

How to Obtain Update Packages

Please contact our customer support with information on your OpenAM environments; Operating Systems, OpenAM versions and use of customization (such as plugin-ins) as well as support ID, company name and contact person.

※ For environments that do not appear below, please contact Customer Support.

  1. About OS
    • RedHat Enterprise Linux 6 (x86-64)
    • RedHat Enterprise Linux 5 (x86)
    • RedHat Enterprise Linux 5 (x86-64)
  2. For version of OpenAM
    Please check with the following command if you have been introduced the rpm package.
     #rpm -qa | grep osstech-openam 
  3. Use of customization
    The standard update method can not be used for the following cases. In such a case, please let us know which case your deployment comes under. We will inform you of customized update steps.
    1. A customized module is used
      • If it is the customization screen
      • If it is a customized authentication module
    2. How to Deploy OpenAM is different from our standard
      • If you are using the Tomcat of OS standard
      • The war file name has been changed from "openam.war".
        • Standard deployment destination in the case of OpenAM 11.0.0:
          /opt/osstech/share/tomcat7/webapps/openam
        • Standard deployment destination in the case of OpenAM 9.5.5:
          /opt/osstech/share/tomcat6/webapps/openam.war
© 2019 Open Source Solution Technology Corporation, All Rights Reserved.
お問い合わせ: info @ osstech.co.jp