Saturday, November 8, 2014

OpenAM Security Advisory #201404

3 days ago, ForgeRock announced yet another security advisory #201404 - the 4th this year.

Good trend? Bad trend? To me, I read it as OpenAM deployment base has become larger and more people are using it for real deployments. With more eyes, more bugs will be found. That's a good thing for the community!

#201404 - Denial of Service vulnerability – CVE-2014-7246
In environments where more than one OpenAM server has been configured, it is possible that an authenticated attacker can construct and send a single request that triggers an infinite loop, occupying one or more instances in the deployment until the affected instances are restarted.

Another thing to note:

See that? The patch bundles are now distributed in .zip, instead of .jar. This better reflects what the patch bundles should be used for. To unzip, read the instruction(s) and to deploy the patches, which are usually in .classes. 

My positive feedback comes true! (See my previous blog) :) Well done! 


No comments:

Post a Comment