Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-4mh8-9wq6-rjxg: OpenAM vulnerable to user impersonation using SAMLv1.x SSO process

Impact

OpenAM up to version 14.7.2 does not properly validate the signature of SAML responses received as part of the SAMLv1.x Single Sign-On process. Attackers can use this fact to impersonate any OpenAM user, including the administrator, by sending a specially crafted SAML response to the SAMLPOSTProfileServlet servlet.

Patches

This problem has been patched in OpenAM 14.7.3-SNAPSHOT and later

Workarounds

One should comment servlet SAMLPOSTProfileServlet in web.xml or disable SAML in OpenAM

<servlet>
    <description>SAMLPOSTProfileServlet</description>
    <servlet-name>SAMLPOSTProfileServlet</servlet-name>
    <servlet-class>com.sun.identity.saml.servlet.SAMLPOSTProfileServlet</servlet-class>
</servlet>
...
<servlet-mapping>
    <servlet-name>SAMLSOAPReceiver</servlet-name>
    <url-pattern>/SAMLSOAPReceiver</url-pattern>
</servlet-mapping>

References

#624

ghsa
#web#git#java#perl#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-37471

OpenAM vulnerable to user impersonation using SAMLv1.x SSO process

Critical severity GitHub Reviewed Published Jul 20, 2023 in OpenIdentityPlatform/OpenAM • Updated Jul 20, 2023

Package

maven org.openidentityplatform.openam:openam-federation-library (Maven)

Affected versions

< 14.7.3

Impact

OpenAM up to version 14.7.2 does not properly validate the signature of SAML responses received as part of the SAMLv1.x Single Sign-On process. Attackers can use this fact to impersonate any OpenAM user, including the administrator, by sending a specially crafted SAML response to the SAMLPOSTProfileServlet servlet.

Patches

This problem has been patched in OpenAM 14.7.3-SNAPSHOT and later

Workarounds

One should comment servlet SAMLPOSTProfileServlet in web.xml or disable SAML in OpenAM

<servlet> <description>SAMLPOSTProfileServlet</description> <servlet-name>SAMLPOSTProfileServlet</servlet-name> <servlet-class>com.sun.identity.saml.servlet.SAMLPOSTProfileServlet</servlet-class> </servlet> … <servlet-mapping> <servlet-name>SAMLSOAPReceiver</servlet-name> <url-pattern>/SAMLSOAPReceiver</url-pattern> </servlet-mapping>

References

#624

References

  • GHSA-4mh8-9wq6-rjxg
  • https://nvd.nist.gov/vuln/detail/CVE-2023-37471
  • OpenIdentityPlatform/OpenAM#624
  • OpenIdentityPlatform/OpenAM@7c18543

Published to the GitHub Advisory Database

Jul 20, 2023

Last updated

Jul 20, 2023

Related news

CVE-2023-37471: GHSL-2023-143, GHSL-2023-144, deny unsigned SAML response by maximthomas · Pull Request #624 · OpenIdentityPlatform/OpenAM

Open Access Management (OpenAM) is an access management solution that includes Authentication, SSO, Authorization, Federation, Entitlements and Web Services Security. OpenAM up to version 14.7.2 does not properly validate the signature of SAML responses received as part of the SAMLv1.x Single Sign-On process. Attackers can use this fact to impersonate any OpenAM user, including the administrator, by sending a specially crafted SAML response to the SAMLPOSTProfileServlet servlet. This problem has been patched in OpenAM 14.7.3-SNAPSHOT and later. User unable to upgrade should comment servlet `SAMLPOSTProfileServlet` from their pom file. See the linked GHSA for details.