Published:2018/10/12 Last Updated:2018/10/12
JVN#49995005
OpenAM (Open Source Edition) vulnerable to session management
Overview
OpenAM (Open Source Edition) contains a vulnerability in session management.
Products Affected
- OpenAM (Open Source Edition) 13.0 and later
Description
OpenAM (Open Source Edition) contains a vulnerability in session management.
Impact
A user who can login to the product may change the security questions and reset the login password.
Solution
Apply the Patch
Patch for this vulnerability has been released by OpenAM Consortium.
Apply the patch according to the information provided by OpenAM Consortium.
Apply a Workaround
The following workaround may mitigate the effects of this vulnerability.
- Disable the Security Questions function for password resetting
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| FUJITSU LIMITED | Not Vulnerable | 2018/10/12 | |
| OGIS-RI Co.,Ltd. | Vulnerable | 2018/10/12 | |
| Open Source Solution Technology Corporation | Vulnerable | 2018/10/12 | Open Source Solution Technology Corporation website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Base Score:
5.0
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
CVSS v2
AV:N/AC:L/Au:S/C:P/I:N/A:N
Base Score:
4.0
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Yasushi Iwakata of Open Source Solution Technology Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2018-0696 |
| JVN iPedia |
JVNDB-2018-000107 |