CVE-2024-41667
📋 TL;DR
CVE-2024-41667 is a template injection vulnerability in OpenAM's OAuth2 provider settings that allows attackers to execute arbitrary code on affected systems. This affects OpenAM versions 15.0.3 and earlier where the CustomLoginUrlTemplate parameter can be manipulated. Attackers can exploit this to gain unauthorized access and potentially compromise the entire OpenAM deployment.
💻 Affected Systems
- OpenAM
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.
Likely Case
Authentication bypass, session hijacking, and unauthorized access to protected resources and user data.
If Mitigated
Limited impact with proper input validation and template sandboxing in place.
🎯 Exploit Status
Exploitation requires access to modify OAuth2 provider settings, which typically requires administrative privileges or another vulnerability to reach the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.0.4
Vendor Advisory: https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-7726-43hg-m23v
Restart Required: Yes
Instructions:
1. Backup current OpenAM configuration. 2. Download OpenAM 15.0.4 from official repository. 3. Stop OpenAM service. 4. Deploy new version. 5. Restart OpenAM service. 6. Verify functionality.
🔧 Temporary Workarounds
Disable Custom Login URL Templates
allRemove or restrict the CustomLoginUrlTemplate parameter in OAuth2 provider settings
# Edit OpenAM configuration to remove custom login URL templates
# Check configuration files for 'CustomLoginUrlTemplate' settings
Restrict Administrative Access
allLimit access to OAuth2 provider configuration endpoints
# Configure firewall rules to restrict access to OpenAM admin interfaces
# Implement IP whitelisting for administrative functions
🧯 If You Can't Patch
- Implement network segmentation to isolate OpenAM from critical systems
- Enable detailed logging and monitoring for template injection attempts
🔍 How to Verify
Check if Vulnerable:
Check OpenAM version and verify if CustomLoginUrlTemplate functionality is enabled in OAuth2 provider settings.Check Version:
# For Linux: cat /path/to/openam/version.txt or check web interfaceVerify Fix Applied:
Verify OpenAM version is 15.0.4 or later and confirm TemplateClassResolver.SAFER_RESOLVER is implemented.📡 Detection & Monitoring
Log Indicators:
- Unusual template processing errors
- Suspicious modifications to OAuth2 provider settings
- FreeMarker template execution anomalies
Network Indicators:
- Unexpected requests to OAuth2 configuration endpoints
- Unusual payloads containing template syntax
SIEM Query:
source="openam" AND ("CustomLoginUrlTemplate" OR "FreeMarker" OR "template injection")🔗 References
- https://github.com/OpenIdentityPlatform/OpenAM/commit/fcb8432aa77d5b2e147624fe954cb150c568e0b8
- https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-7726-43hg-m23v
- https://github.com/OpenIdentityPlatform/OpenAM/commit/fcb8432aa77d5b2e147624fe954cb150c568e0b8
- https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-7726-43hg-m23v
