Security issues have been discovered in OpenAM. These issues are present in versions of OpenAM from 9.0 to 9.5.4, 10.0.0 and also previous versions released under alternate names, such as OpenSSO. A straightforward workaround is available for all deployments.

Full details of the identified vulnerabilities and workarounds are available at: http://www.forgerock.org/security_advisory.html

These issues are rated as Critical. Where security precautions have been taken, such as not running OpenAM as the root user (on Unix-like OSs), or applied the Security Best Practices, risk is limited but this should still be considered a serious issue for immediate attention.

ForgeRock has fixed these vulnerabilities in the project trunk and these updates are available in today’s nightly build. We are working to provide updates (9.5.5 and 10.0.1) or patches for OpenAM and will post details in the Security Advisory notice above as soon as these are available.