Information Disclosure – ForgeRock OpenIDM 4.0.0 and 4.5.0

Security vulnerabilities have been discovered in OpenIDM components including the Info Service, Self-Service UI and Admin UI. These issues are present in versions of OpenIDM including 4.0.0 and 4.5.0.

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available for all of the issues.

The maximum severity of issues in this advisory is Medium. Deployers should take immediate steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade to deploy the relevant patches. Patch bundles are available for the following versions:

  • 4.0.0
  • 4.5.0

Customers can obtain these patch bundles from BackStage.

Product OpenIDM
Affected versions 4.0.0
Fixed versions 4.5.0
Component Info Service
Severity Medium

Description:

The OpenIDM info endpoint may leak sensitive information under certain circumstances. Looking closely I noticed that amid the requests for access to solution idm several requests on behalf of a user: “anonymous”, editing these requests I got a return code 200, containing information from the internal server, such as addresses Ips, thus characterizing an information disclosure vulnerability.

Report Timeline
************************
10-Jan-2017- Reported
11-Jan-2017- Vendor Response
28 -March-2017- Vendor Fixed
08-April-2017- Public disclosed

POC:

 

Vendor Reference
*****************
https://backstage.forgerock.com/knowledge/kb/article/a92936505

References
*****************

 

Workaround:

Modify the OpenIDM bin/defaults/script/info/login.js script and change the following at line 28:

        return context.security;

to the following:

        return {
            _id: "login",
            authorization: context.security.authorization,
            authenticationId: context.security.authenticationId
        };

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

 

 

Deixe uma resposta

O seu endereço de e-mail não será publicado. Campos obrigatórios são marcados com *

*