Chat now with support
Chat with Support
Self Service Tools
Knowledge Base
My Account
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Support Essentials
Awards and Testimonials
License Agreement
Support Guide

Single Sign-On for Java Product Notification

Critical Alerts

One Identity Support Critical Product Notification
Single Sign-On for Java all editions


A security vulnerability dealing with Kerberos has been discovered and a patch has been made available.  The nature of this security vulnerability made a replay attack possible and that a Kerberos application request could be used outside its expiration time.

How does this critical product notification affect users of Single Sign-On for Java?

Not all implementations of Single Sign-On for Java will be impacted by this security vulnerability. Since the vulnerability affects server code, not client code, this will not be an impact if you are using Single Sign-On for Java to act as a Kerberos / GSSAPI / SPNEGO client.

Also, if you are using Single Sign-On for Java for SPNEGO authentication of HTTPS clients and have not set 'idm.allowUnsecured=true' (Set in, then HTTPS natively provides transport-layer protection against replay attacks.

This critical product notification is relevant if you utilize Kerberized services such as code that calls the org.ietf.jgss.GSSContext.acceptSecContext methods and uses Single Sign-On as its Java GSSAPI provider.

For further details please review knowledgebase article SOL57176:

Please follow the instructions in the Resolution section of the knowledgebase article to apply the patch.


The issues described in this notification have been addressed by a patch that is immediately available.  Please review knowledgebase article SOL57176 for more specific details and patch download information.

Questions or comments
If you have any questions or comments, please log a case using our Case Management tool or see the Contact Support page for other contact methods available on Support Portal.

Please do not respond directly to this e-mail notification. You can elect to stop receiving product notifications by changing the "Product Notification" setting under Edit User Profile on Support Portal.

Thank You.
One Identity Support