ForgeRock issues security advisories in collaboration with our customers and the open source community to address any security vulnerabilities transparently and rapidly. ForgeRock’s security advisory policy governs the process on how security issues are submitted, received, and evaluated as well as the timeline for the issuance of security advisories and patches.
For details of all the security advisories across ForgeRock products, see Security Advisories.
ForgeRock is aware we are shipping with log4j version 1. This library is a dependency of several other third party applications, such as Apache Spark and Apache Livy. We are shipping the latest versions compatible with Autonomous Identity of those third party applications, and they have yet to update their dependencies. Once they have released new versions that contain updated libraries, ForgeRock will release the software with the new libraries included, after ensuring compatibility with Autonomous Identity functionality.
ForgeRock has analyzed the vulnerable libraries and concluded that Autonomous Identity is not vulnerable based on the architecture of the ForgeRock application.
The following CVEs are identified:
CVE-2021-4104 - Affects Livy
CVE-2019-17571 - Affects JNDI. AutoID is not using JNDI