Notice of OpenAM security vulnerability and product updates [AM20181012-1]

OpenAM Product Update Notice

We have released an update of OSSTech OpenAM.

Please apply this update since it includes a fix for the security vulnerability as described below.

Affected versions

  • OpenAM 13.0.0
    • osstech-openam13-13.0.0-120 and previous versions

Vulnerability Details

An improper session management vulnerability in user self-service

  • Versions Affected: OpenAM 13.0.0
  • CVSS Severity Level: Medium

A vulnerability caused by improper session management exists in OpenAM.
Users who can log in to OpenAM can rewrite secret questions of other users and then change their passwords.
This vulnerability is exploitable when secret questions in the self-service functionality is enabled.

Resolution

Update to the latest fixed version.

How to Obtain a Update Package

Please contact our customer support with information on your OpenAM environments, Operating Systems (listed below), OpenAM version and use of customization (such as plugin-ins) as well as support ID, company name and contact person name.

※ For environments that do not appear below, please contact Customer Support.

  1. OS Versions
    • RedHat Enterprise Linux 7 (x86-64)
  2. OpenAM Version
    The following command can be used to check the version if OpenAM has

been installed as an RPM package.

# rpm -qa | grep osstech
  1. Use of customization
    The standard update procedure can not be used for the following cases. Please let us know which case your deployment comes under when you contact us. We will inform you of individualized update steps.
    1. Use of customized modules
      • Some of the user interfaces have been customized.
      • Customized authentication modules are being used.
    2. Deployment configuration different from our standard
      • Standard deployment destination in OpenAM 13.0.0:
        • /opt/osstech/share/tomcat/webapps/openam

Release Notes

© 2019 Open Source Solution Technology Corporation, All Rights Reserved.
お問い合わせ: info @ osstech.co.jp