Notice of OpenAM security vulnerability and product updates [AM20171101-1]

OpenAM Product Update Notice

We have released an update of OSSTech OpenAM.

Please apply this update since it includes a fix for the security vulnerability as described below.

対象

  • OpenAM 9.5.5
    • osstech-openam-9.5.5-41 and previous versions
  • OpenAM 11.0.0
    • osstech-openam11-11.0.0-112 and previous versions
  • OpenAM 13.0.0
    • osstech-openam13-13.0.0-73 and previous versions

Vulnerability Details

Authentication bypass vulnerability in SAML 2.0 IdP

  • Versions Affected: All versions of OpenAM
  • CVSS Severity Level: Medium

An authentication bypass vulnerability exits in all versions of OpenAM.
Even in the configuration that requires an additional authentication factor such as OTP, it is possible for a malicious user to bypass it and be authenticated only by providing his/her User ID and Password.
This vulnerability is applicable only when OpenAM is configured as a SAML 2.0 IdP that switches authentication methods based on a received authentication context.

Resolution

Update to the latest fixed version.

How to Obtain a Update Package

Please contact our customer support with information on your OpenAM environments, Operating Systems (listed below), OpenAM version and use of customization (such as plugin-ins) as well as support ID, company name and contact person name.

※ For environments that do not appear below, please contact Customer Support.

  1. OS Versions
    • RedHat Enterprise Linux 7 (x86-64)
    • RedHat Enterprise Linux 6 (x86-64)
  2. OpenAM Version
    The following command can be used to check the version if OpenAM has

been installed as an RPM package.

# rpm -qa | grep osstech
  1. Use of customization
    The standard update procedure can not be used for the following cases. Please let us know which case your deployment comes under when you contact us. We will inform you of individualized update steps.
    1. Use of customized modules
      • Some of the user interfaces have been customized.
      • Customized authentication modules are being used.
    2. Deployment configuration different from our standard
      • OS bundled Tomcat is being used.
      • The war file name has been changed from "openam.war".
        • Standard deployment destination in OpenAM 13.0.0:
          • /opt/osstech/share/tomcat/webapps/openam
        • Standard deployment destination in OpenAM 11.0.0:
          • /opt/osstech/share/tomcat7/webapps/openam
        • Standard deployment destination in OpenAM 9.5.5:
          • /opt/osstech/share/tomcat6/webapps/openam.war

Release Notes

© 2021 Open Source Solution Technology Corporation, All Rights Reserved.
お問い合わせ: info @ osstech.co.jp
-->