#VU41105 Input validation error in OpenAM - CVE-2014-7246

Cybersecurity Help s.r.o.

Published: 2014-11-14 | Updated: 2020-08-09

Vulnerability identifier: #VU41105

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2014-7246

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenAM
Server applications / Remote management servers, RDP, SSH

Vendor: OpenAM Consortium

Description

The vulnerability allows a remote #AU# to perform service disruption.

The Core Server in OpenAM 9.5.3 through 9.5.5, 10.0.0 through 10.0.2, 10.1.0-Xpress, and 11.0.0 through 11.0.2, when deployed on a multi-server network, allows remote authenticated users to cause a denial of service (infinite loop) via a crafted cookie in a request.

Mitigation
Install update from vendor's website.

Vulnerable software versions

OpenAM: 9.5.3 - 11.0.2

External links
https://jvn.jp/en/jp/JVN65559247/index.html
https://jvndb.jvn.jp/jvndb/JVNDB-2014-000129
https://sources.forgerock.org/changelog/openam/?cs=11248
https://forgerock.org/2014/11/openam-security-advisory-201404/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Input validation error in OpenAM