One Identity Support Critical Product Notification
Single Sign-On for Java all editions
A security vulnerability dealing with Kerberos has been discovered and a patch has been made available. The nature of this security vulnerability made a replay attack possible and that a Kerberos application request could be used outside its expiration time.
How does this critical product notification affect users of Single Sign-On for Java?
Not all implementations of Single Sign-On for Java will be impacted by this security vulnerability. Since the vulnerability affects server code, not client code, this will not be an impact if you are using Single Sign-On for Java to act as a Kerberos / GSSAPI / SPNEGO client.
Also, if you are using Single Sign-On for Java for SPNEGO authentication of HTTPS clients and have not set 'idm.allowUnsecured=true' (Set in vsj.properties), then HTTPS natively provides transport-layer protection against replay attacks.
This critical product notification is relevant if you utilize Kerberized services such as code that calls the org.ietf.jgss.GSSContext.acceptSecContext methods and uses Single Sign-On as its Java GSSAPI provider.
For further details please review knowledgebase article SOL57176:
Please follow the instructions in the Resolution section of the knowledgebase article to apply the patch.
The issues described in this notification have been addressed by a patch that is immediately available. Please review knowledgebase article SOL57176 for more specific details and patch download information.
Please do not respond directly to this e-mail notification. You can elect to stop receiving product notifications by changing the "Product Notification" setting under Edit User Profile on Support Portal.
One Identity Support