Notice of OpenAM security vulnerability and product updates [AM20181012-1]

We have released an update of OSSTech OpenAM.

Please apply this update since it includes a fix for the security vulnerability as described below.

• OpenAM 13.0.0
  • osstech-openam13-13.0.0-120 and previous versions

• Versions Affected: OpenAM 13.0.0
• CVSS Severity Level: Medium

A vulnerability caused by improper session management exists in OpenAM.
Users who can log in to OpenAM can rewrite secret questions of other users and then change their passwords.
This vulnerability is exploitable when secret questions in the self-service functionality is enabled.

Update to the latest fixed version.

Please contact our customer support with information on your OpenAM environments, Operating Systems (listed below), OpenAM version and use of customization (such as plugin-ins) as well as support ID, company name and contact person name.

※ For environments that do not appear below, please contact Customer Support.

1. OS Versions
   • RedHat Enterprise Linux 7 (x86-64)
2. OpenAM Version
   The following command can be used to check the version if OpenAM has

been installed as an RPM package.

# rpm -qa | grep osstech

1. Use of customization
   The standard update procedure can not be used for the following cases. Please let us know which case your deployment comes under when you contact us. We will inform you of individualized update steps.
   1. Use of customized modules
      • Some of the user interfaces have been customized.
      • Customized authentication modules are being used.
   2. Deployment configuration different from our standard
      • Standard deployment destination in OpenAM 13.0.0:
        • /opt/osstech/share/tomcat/webapps/openam

• OpenAM 13.0.0 Release Notes (Japanese version Only)