JVN#65559247
OpenAM vulnerable to denial-of-service (DoS)
Overview
OpenAM provided by ForgeRock contains a denial-of-service (DoS) vulnerability.
Products Affected
- OpenAM 9.5.3-9.5.5, 10.0.0-10.0.2, 10.1.0-Xpress, 11.0.0-11.0.2
Description
OpenAM provided by ForgeRock is an open source access management software. OpenAM contains a denial-of-service (DoS) vulnerability due to a flaw in processing Cookies (CWE-400).
Impact
When an OpenAM system is running "site" configuration with multiple instances, an authenticated attacker may be able to cause a denial-of-service (DoS).
Solution
Apply a Patch
Apply the appropriate patch according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| ForgeRock | 5th Nov 2014: OpenAM Security Advisory #201404 |
| FishEye: changeset 11248 | |
| Open Source Solution Technology Corporation | Notice of OpenAM security vulnerability and product updates [AM20141106-1] |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2014.11.10 (CVSS Base Metrics)
| Measures | Severity | Description | ||
|---|---|---|---|---|
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) | A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed "remotely exploitable". |
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) | Specialized access conditions or extenuating circumstances do not exist. |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) | The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface). |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) | There is no impact to the confidentiality of the system. |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) | There is no impact to the integrity of the system. |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) | There is a total shutdown of the affected resource. |
Base Score:6.8
Credit
Yasushi IWAKATA of Open Source Solution Technology Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2014-7246 |
| JVN iPedia |
JVNDB-2014-000129 |
Update History
- 2014/11/11
- Information under the section "Vendor Status" was updated.
- 2014/11/20
- Infromation under the section "Vendor Status" was added.