What's New in 2020.6.2

Autonomous Identity 2020.6.2 is the latest patch release targeted for Autonomous Identity 2020.6.x deployments. For the latest image, see "Files to Download".

This release provides security and minor fixes in functionality. For more information, see Key Fixes.

Security Advisory

ForgeRock has found the following security vulnerabilities in its security scan of the Autonomous Identity 2020.6.0 code. These issues are considered harmless as of the initial release of Autonomous Identity. The descriptions are summarized below.

These packages will be updated in upcoming releases and future security advisories will note these changes.

Table 1: Security
Image NamePackages with Known VulnerabilitiesDescription
deployer

ansible-2.9.6

pycrypto-2.6.1

These packages are used only during the deployment phase by the deployer. They are not used at runtime by the Autonomous Identity application.

analytics

log4j-1.2.17.jar

netty-all-4.0.33.Final.jar

commons-beanutils-1.9.3.jar

netty-codec-http-4.0.33.Final.jar

The analytics pipeline runs in a protected environment. The analytics users are protected by system access to the node within the deployed analytics container.

Analytics image contains packages needed for submitting spark jobs.

There is no known vulnerability for the Spark 2.4.4 distribution.

The analytics image scan report can be cross-validated with the list of known vulnerabilities in Spark 2.4.4. See Apache Spark Reporting Security Issues.

openldap

libpcre3-2:8.39-12

dpkg-1.19.7

perl-5.28.1-6

libxml2-2.9.4+dfsg1-7+b3

libperl5.28-5.28.1-6

perl-modules-5.28-5.28.1-6

perl-base-5.28.1-6

OS level vulnerabilities. Only used by System Administrators. This container can only be accessed locally. There is no proven vulnerability for the openldap application.

These packages will be upgraded to the latest secure versions in an upcoming release.

configuration-service

lodash-4.17.15

cookie-0.3.1

lodash-4.17.15 is the latest version. It does not use the vulnerable functionality: zipObjectDeep.

The application is not impacted by the underlying vulnerabilities in the cookie-0.3.1 as we are not using the underlying functionality related to cookie max-age.

These packages will be upgraded to the latest secure versions in an upcoming release.

phpldapadmin

libpcre3-2:8:39-12

dpkg-1.19.7

perl-5.28.1-6

libsml2-2.9.4+dfsg1-7+b3

libperl5.28-5.28.1-6

perl-modules-5.28-5.28.1-6

perl-base-5.28.1-6

OS-level vulnerabilities. Only used by system administrators. This container can only be access locally. There is no proven vulnerability for the phpldapadmin application.

These packages will be upgraded to the latest secure versions in an upcoming release.

zoran-api

lodash-4.17.15

cookie-0.3.1

lodash-4.17.15 is the latest version. It does not use the vulnerable functionality: zipObjectDeep.

The application is not impacted by the vulnerabilities in cookie-0.3.1 as we are not using the underlying functionality related to cookie max-age.

These packages will be upgraded to the latest secure versions in an upcoming release.


Read a different version of :