Significant security issues

[pearj]

This is more of a community service announcement, this version of OpenAM is known to have the following number of security issues.

• 201601 1 Critical 6 High 5 Medium 1 Low

• 201604 1 Critical 3 High 1 Medium

• 201605 1 Critical 3 High 1 Low

• 201608 1 High

Totalling 3 Critical 13 High 6 Medium 2 Low

I checked on the forums if these security fixes would be made available, but it looks like the security fixes are subscription only. https://forum.forgerock.com/topic/openam-community-edition-and-security-advisory-201608

A lot of the security fixes do have workarounds, so that's probably the way to avoid them I suppose.

[FireBurn]

OK so I've went through the list, some of these have fixes available. Below are the ones that affect the community edition, their criticality, the git commit of the newer fix and if it applies cleanly to the community edition branch (using git cherry-pick) and if it then compiles. I'll do some preliminary testing and see how easy to port the other patches are. I'm not a Java dev so if anyone else is more experienced I'd be grateful if they'd have a look. We don't have patches for OPENAM-7125, OPENAM-5659 & OPENAM-9479. These is a chance the fixes are in the repo somewhere but perhaps under a different name

ID	Severity	Git Hash	Applies	Compiles	Issue
OPENAM-7364	Critical	1919390f93ec8db650084d8b1bf252bf71f37b0b	N
OPENAM-6373	High	42e6f052c417061bf791b6e04c4579a61bf002d3	N
OPENAM-6518	High	a855e517bd04431252ed47dbbf2875d1d3ce7aaf	Y	Y
OPENAM-7063	High	4e722da7d7f08efee88f34533f20f63671572b28	N
OPENAM-7439	High	3b9ddb3b45c7f1cf575932bfcac2df50f3172f1a	N
OPENAM-7958	High	4606d704b4d70c70b99c9a1e256605a5a4ddc5cc	N
OPENAM-7395	High	4bec808ce266fd8d84d8d25c03443cfbbdc1ae9c	Y	Y
OPENAM-7125	High	No Fix Found
OPENAM-7583	High	d5c30071dde7082146312ecbc62914d4d1df7532	N
OPENAM-8106	High	365156d5428edc07eae024879829e586bbaf9d42	N
		d5a35ee0e81c6fb618b79309f71177dc876cbd65	N
OPENAM-6562	Medium	ac9cc9143d8f2515dc9efcebc9cd03ca293f3e18	N
OPENAM-5659	Medium	No Fix Found
OPENAM-6768	Medium	a6671bb31e69479d4849334f8a687de88657ad7d	N
OPENAM-7362	Medium	317ee9bc7d39703e48cc926c8ec4559c3b9b5393	N
OPENAM-7924	Medium	8c29fe8308286141aa94d1f0e0edfa1ad8048594	Y	Y
OPENAM-7925	Medium	8c29fe8308286141aa94d1f0e0edfa1ad8048594	Y	Y
OPENAM-5392	Low	1f2a4423f81a4223af1cd9b3f9581dad542cb10c	Y	Y
OPENAM-8596	Critical	26f86a953e29122e06559096d9ec6afa8c54e4a9	N
		ab6d28854125036ed9a07160d949b7dc42417d91	N
OPENAM-4743	High	10ad2cc71bcbcdc5afba9dace7f333cbf8674e28	Y	N	Diamond Operator - Requires source 1.7
		2d67169e22329c8d5b4ac2bcfc79009ec4e371fd	Y	N	With source 1.7 /apps/was/jenkins/workspace/Compile_OpenAM_CE/OpenAM/openam-console/src/main/java/com/sun/identity/console/idm/EntityOpViewBeanBase.java:[231,18] no suitable method found for  error(java.lang.String,java.lang.String,java.lang.String)
OPENAM-8737	High	104e7c9f5d805acc02ba1a2805016e33adeef1c5	Y	Y
OPENAM-8643	High	d08466f8cb67b699ebcfb6052b348f7b7fc5c00b	N
OPENAM-8321	Medium	3bd5959f745c83a5e8b8df92b2fa7bccf5a8fcc1	N
		08b32825ad6205ec858e350346df8ce59803da6c	N
OPENAM-8258	Medium	1206767106b87929474ea6ce0f427b4b7cc2a5f4	N
		c757a6cc9f2b643d0675bc85bd648964ac012eb6	N
OPENAM-9389	Critical	29ae5417b1417103a811052dfc12f28cd23d6f3c	Y	N	Cannot find variable HMAC_SIGNING_KEY - requires below commit
		c60c5bb51b7a07a62eda0910ae9774bfe49bd003	N
OPENAM-7938	High	c9ba1a8f3afcf43e26fe5b062ac652b347b283fb	N
OPENAM-8575	High	4f04731207681973251c52436f07118e7c325e88	N
OPENAM-8951	High	440cd3103e8d5b3bb64e8a3d3e54b03ede9f9801	N
OPENAM-9216	High	7bed76a091ac06e51ede059942f9ebc9d9a3166a	N
OPENAM-8248	Low	a6f2ce2d0786fa90fac4d6a6cbd83a19d3573593	N
OPENAM-8249	Low	780c922759d81da1184f793001c0f73691e033f4	Y	Y
		d95fb8f7f3c2c107e1537d77109e357352be8917	Y	Y
OPENAM-9479	High	No Fix Found

[FireBurn]

So we're now down to:

ID	Severity	Workaround	Git Hash	Applies	Compiles	Issue
OPENAM-7125	High	NA - One realm or protect end points	No Fix Found
OPENAM-7583	High	NA - No configred email server	d5c30071dde7082146312ecbc62914d4d1df7532	Y	Y	Unfortunately this isn't really a fix. On 13.0.0 applying this patch was kind of okay, because there is a newer version fo selfservice since 13.0.0. In this version, there is only this version of the selfservice endpoints, hence creating a setting to enable/disable it feels inappropriate and doesn't actually protect from the underlying security issue. openam-core-rest/src/main/java/org/forgerock/openam/core/rest/IdentityResourceV2.java openam-forgerock-rest/src/main/java/org/forgerock/openam/forgerockrest/IdentityResource.java openam-rest/src/main/java/org/forgerock/openam/services/RestSecurity.java openam-forgerock-rest/src/main/java/org/forgerock/openam/services/RestSecurity.java openam-rest/src/main/resources/RestSecurity.properties openam-forgerock-rest/src/main/resources/RestSecurity.properties openam-rest/src/main/resources/RestSecurity.xml openam-forgerock-rest/src/main/resources/RestSecurity.xml
OPENAM-5659	Medium	NA - have protocol scheme defined	No Fix Found			Base on OPENAM-1974 [15:28] more like the packages associated with it, and anything on their ancestry path [15:29] they are pretty self-contained components [15:29] so prefixresourcename, urlresourcename and httpurlresourcename [15:29] along with base* classes [15:29] it still won't be an easy backport [15:29] but the tests will help you greatly
OPENAM-8596	Critical	Easy - protect end points	26f86a953e29122e06559096d9ec6afa8c54e4a9	N		Patch points to different files
		Same	ab6d28854125036ed9a07160d949b7dc42417d91	N
OPENAM-9389	Critical	Med - Disable Persistant Cookie auth	29ae5417b1417103a811052dfc12f28cd23d6f3c	Y	N	Cannot find variable HMAC_SIGNING_KEY - requires below commit
		Med - Disable Persistant Cookie auth	c60c5bb51b7a07a62eda0910ae9774bfe49bd003	N
OPENAM-8575	High	NA - We don't use OAuth2	4f04731207681973251c52436f07118e7c325e88	N		All files don't exist - is this required?