Security Advisory
ForgeRock Identity Platform
ForgeRock Identity Cloud

IDM Security Advisory #202206

Last updated Sep 28, 2022

ForgeRock has discovered a security vulnerability in the LDAP connector included in supported versions of IDM and the Java Remote Connector Server (RCS) products.


2 readers recommend this article

September 13, 2022

ForgeRock has discovered one Critical-level security vulnerability present in the LDAP connector included in supported versions of IDM and the Java Remote Connector Server (RCS) products.

This advisory provides guidance on how to ensure your deployments are properly secured. The recommendation is to update the LDAP connector to version 1.5.20.9.

Identity Cloud customers

The LDAP connector is not included with ForgeRock Identity Cloud. However, if a customer is using the Java Remote Connector Server (RCS) in their environment, the LDAP connector needs to be updated to the latest version.

Issue #202206-01 Broken Access Control

Affected versions All connector versions prior to 1.5.20.9
Fixed versions 1.5.20.9
Component LDAP connector
Severity Critical
Vulnerability CVE-2022-0143

Description:

When the LDAP connector is started with StartTLS configured, unauthenticated access is granted.

Workaround:

Disable the optional StartTLS feature in the LDAP connector. Note this will result in unencrypted traffic with the LDAP connector, which can be mitigated by using LDAPS ("ssl":true, "startTLS":false). See Configure the LDAP connector to use SSL and StartTLS for further information.

However, upgrading the LDAP connector is still the recommended solution. 

Resolution:

Upgrade to LDAP connector version 1.5.20.9 or later. This can be done independently of the IDM or RCS versions currently installed. 

You can download the latest connectors from Backstage

See How do I upgrade the Java Remote Connector Server (RCS) for Identity Cloud and IDM? for instructions on upgrading the RCS. 

Change Log

The following table tracks changes to the security advisory:

Date  Description
September 28, 2022 Fixed broken doc link
September 20, 2022 Added CVE and suggestion to use LDAPS
September 13, 2022 Initial release

Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.