IDM Security Advisory #202206
ForgeRock has discovered a security vulnerability in the LDAP connector included in supported versions of IDM and the Java Remote Connector Server (RCS) products.
2 readers recommend this article
September 13, 2022
ForgeRock has discovered one Critical-level security vulnerability present in the LDAP connector included in supported versions of IDM and the Java Remote Connector Server (RCS) products.
This advisory provides guidance on how to ensure your deployments are properly secured. The recommendation is to update the LDAP connector to version 1.5.20.9.
Identity Cloud customers
The LDAP connector is not included with ForgeRock Identity Cloud. However, if a customer is using the Java Remote Connector Server (RCS) in their environment, the LDAP connector needs to be updated to the latest version.
Issue #202206-01 Broken Access Control
Affected versions | All connector versions prior to 1.5.20.9 |
---|---|
Fixed versions | 1.5.20.9 |
Component | LDAP connector |
Severity | Critical |
Vulnerability | CVE-2022-0143 |
Description:
When the LDAP connector is started with StartTLS configured, unauthenticated access is granted.
Workaround:
Disable the optional StartTLS feature in the LDAP connector. Note this will result in unencrypted traffic with the LDAP connector, which can be mitigated by using LDAPS ("ssl":true
, "startTLS":false
). See Configure the LDAP connector to use SSL and StartTLS for further information.
However, upgrading the LDAP connector is still the recommended solution.
Resolution:
Upgrade to LDAP connector version 1.5.20.9 or later. This can be done independently of the IDM or RCS versions currently installed.
You can download the latest connectors from Backstage.
See How do I upgrade the Java Remote Connector Server (RCS) for Identity Cloud and IDM? for instructions on upgrading the RCS.
Change Log
The following table tracks changes to the security advisory:
Date | Description |
---|---|
September 28, 2022 | Fixed broken doc link |
September 20, 2022 | Added CVE and suggestion to use LDAPS |
September 13, 2022 | Initial release |