What's New in 2020.6.3

Patch Bundle Releases

ForgeRock patch bundle releases contain a collection of fixes and minor RFEs that have been grouped together and released as part of our commitment to support our customers. For general information on ForgeRock's maintenance and patch releases, see Maintenance and Patch Availability Policy.

Autonomous Identity 2020.6.3
  • Autonomous Identity 2020.6.3 is the latest patch bundle release targeted for Autonomous Identity 2020.6.x deployments. To view a list of fixes in this release, see Key Fixes.

    Important

    There is no upgrade process for this patch bundle release. Deployers must run a clean install for this version.

New Features in 2020.6.3
  • JMX Authentication for Cassandra. ForgeRock now provides a configuration script to set up JMX authentication for Cassandra. To obtain the tar file, contact ForgeRock. For setup procedures, see Accessing Log Files.

Security Advisory

ForgeRock has found the following security vulnerabilities in its security scan of the Autonomous Identity 2020.6.0 code. These issues are considered harmless as of the initial release of Autonomous Identity. The descriptions are summarized below.

These packages will be updated in upcoming releases and future security advisories will note these changes.

Table 1: Security
Image NamePackages with Known VulnerabilitiesDescription
deployer

ansible-2.9.6

pycrypto-2.6.1

These packages are used only during the deployment phase by the deployer. They are not used at runtime by the Autonomous Identity application.

analytics

log4j-1.2.17.jar

netty-all-4.0.33.Final.jar

commons-beanutils-1.9.3.jar

netty-codec-http-4.0.33.Final.jar

The analytics pipeline runs in a protected environment. The analytics users are protected by system access to the node within the deployed analytics container.

Analytics image contains packages needed for submitting spark jobs.

There is no known vulnerability for the Spark 2.4.4 distribution.

The analytics image scan report can be cross-validated with the list of known vulnerabilities in Spark 2.4.4. See Apache Spark Reporting Security Issues.

openldap

libpcre3-2:8.39-12

dpkg-1.19.7

perl-5.28.1-6

libxml2-2.9.4+dfsg1-7+b3

libperl5.28-5.28.1-6

perl-modules-5.28-5.28.1-6

perl-base-5.28.1-6

OS level vulnerabilities. Only used by System Administrators. This container can only be accessed locally. There is no proven vulnerability for the openldap application.

These packages will be upgraded to the latest secure versions in an upcoming release.

configuration-service

lodash-4.17.15

cookie-0.3.1

lodash-4.17.15 is the latest version. It does not use the vulnerable functionality: zipObjectDeep.

The application is not impacted by the underlying vulnerabilities in the cookie-0.3.1 as we are not using the underlying functionality related to cookie max-age.

These packages will be upgraded to the latest secure versions in an upcoming release.

phpldapadmin

libpcre3-2:8:39-12

dpkg-1.19.7

perl-5.28.1-6

libsml2-2.9.4+dfsg1-7+b3

libperl5.28-5.28.1-6

perl-modules-5.28-5.28.1-6

perl-base-5.28.1-6

OS-level vulnerabilities. Only used by system administrators. This container can only be access locally. There is no proven vulnerability for the phpldapadmin application.

These packages will be upgraded to the latest secure versions in an upcoming release.

zoran-api

lodash-4.17.15

cookie-0.3.1

lodash-4.17.15 is the latest version. It does not use the vulnerable functionality: zipObjectDeep.

The application is not impacted by the vulnerabilities in cookie-0.3.1 as we are not using the underlying functionality related to cookie max-age.

These packages will be upgraded to the latest secure versions in an upcoming release.


Read a different version of :