Listen to this Post
How the Mentioned CVE Works (Liberty Web Services SOAP Receiver Improper Authorization)
This vulnerability resides in OpenAM’s implementation of the Liberty ID-WSF (Identity Web Services Framework) protocol, specifically within the SOAP receiver endpoint responsible for handling Discovery Service requests.
Liberty ID-WSF is a legacy federation stack that has been superseded by modern standards like SAML 2.0, OAuth, and OpenID Connect. Despite being outdated, the Liberty component is exposed in the shipped defaults of OpenAM Community Edition. The core issue is an Improper Authorization flaw (CWE-285).
The Discovery Service allows entities to register and discover services. An unauthenticated remote attacker can send a crafted SOAP message to the Liberty SOAP receiver endpoint. The endpoint accepts these anonymous writes without requiring any authentication or authorization checks. The Discovery handlers then process these requests server-side.
Crucially, these writes are performed using elevated internal privileges — the global Discovery path explicitly uses the internal admin token. This server-side processing bypasses the requester’s LDAP and identity ACLs (Access Control Lists). As a result, the attacker can write persistent entries into the Liberty Discovery store on any user’s LDAP entry and also into a shared root-realm Discovery branch.
The downstream impact depends on whether anything in the deployment consumes this Discovery data. If consumed, manipulated records could influence service routing or security mechanism selection in subsequent requests. This vulnerability affects OpenAM Community Edition through version 16.0.6 and has been patched in version 16.1.1.
DailyCVE Form:
Platform: OpenAM Community Edition
Version: through 16.0.6
Vulnerability: Improper Authorization (CWE-285)
Severity: Medium
Date: 2026-06-24
Prediction: 2026-07-15
What Undercode Say:
Below are analytical commands and code snippets to assess exposure and detect potential exploitation related to this vulnerability.
1. Check Liberty Endpoint Exposure
Check if the Liberty SOAP receiver endpoint is accessible curl -X POST http://<openam-host>:<port>/openam/liberty/soap \ -H "Content-Type: application/soap+xml" \ -d '<?xml version="1.0"?><soap:Envelope ...></soap:Envelope>' A response other than 401/403 indicates potential exposure
2. Audit Liberty Configuration
Search for Liberty-related configuration in OpenAM grep -r "liberty" /path/to/openam/config/ Look for enabled Liberty services in web.xml cat /path/to/openam/web.xml | grep -i liberty
3. Monitor for Anomalous Discovery Writes
-- Hypothetical LDAP query to check for unexpected Discovery entries ldapsearch -x -H ldap://<ldap-host> -b "ou=discovery,dc=openam,dc=com" \ "(objectClass=)"
4. Test for the Vulnerability (Proof of Concept)
Python script to send a crafted Liberty SOAP request
import requests
soap_payload = """<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<ModifyRequest xmlns="urn:liberty:discovery:2003-08">
<!-- Attacker-controlled Discovery data -->
</ModifyRequest>
</soap:Body>
</soap:Envelope>"""
response = requests.post(
"http://<openam-host>:<port>/openam/liberty/soap",
data=soap_payload,
headers={"Content-Type": "application/soap+xml"}
)
print(f"Status: {response.status_code}, Response: {response.text}")
Exploit:
An unauthenticated attacker can exploit this vulnerability by sending a crafted SOAP message to the Liberty SOAP receiver endpoint. The steps are as follows:
1. Identify Target: Locate an OpenAM Community Edition instance (version ≤ 16.0.6) with the Liberty Web Services component exposed.
2. Craft SOAP Request: Construct a SOAP envelope containing a `ModifyRequest` or `QueryRequest` for the Liberty Discovery Service, specifying the target user’s LDAP entry or the shared root-realm Discovery branch.
3. Send Unauthenticated Request: Transmit the SOAP message to the `/openam/liberty/soap` endpoint without any authentication credentials.
4. Server-Side Processing: The Discovery handlers process the request server-side using the internal admin token, bypassing normal ACLs.
5. Persistent Write: The attacker’s data is written persistently into the Discovery store.
6. Potential Downstream Impact: If the deployment consumes Liberty Discovery data, the manipulated entries could influence service routing or security mechanism selection in subsequent requests.
Protection:
- Upgrade OpenAM: The primary mitigation is to upgrade to OpenAM Community Edition version 16.1.1 or later, where this issue has been patched.
- Disable Liberty Component: If upgrading is not immediately possible, disable the Liberty Web Services component if it is not actively used in the deployment.
- Network Segmentation: Restrict network access to the Liberty SOAP receiver endpoint (
/openam/liberty/soap) to only trusted sources. - Monitor Logs: Monitor OpenAM logs for unusual SOAP requests to the Liberty endpoint or unexpected modifications to LDAP Discovery entries.
- Review Discovery Data: Regularly audit the Liberty Discovery store for any unauthorized or suspicious entries.
Impact:
- Confidentiality: Potential indirect impact if manipulated Discovery data influences security mechanism selection, possibly leading to information disclosure.
- Integrity: Direct impact as an attacker can write persistent, arbitrary entries into the Liberty Discovery store on any user’s LDAP entry and the shared root-realm branch.
- Availability: No direct impact on availability.
- Authentication: Bypass of normal identity-layer access controls.
- Privilege Escalation: The writes are performed with elevated internal privileges server-side, effectively allowing an unauthenticated attacker to perform actions with administrative-level permissions within the Discovery Service context.
- Scope: Affects all OpenAM Community Edition deployments through version 16.0.6 that expose the Liberty Web Services component. The severity of downstream impact varies by deployment and whether Liberty Discovery data is consumed.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
