IDM Security Advisory #202206

September 13, 2022

ForgeRock has discovered one Critical-level security vulnerability present in the LDAP connector included in supported versions of IDM and the Java Remote Connector Server (RCS) products.

This advisory provides guidance on how to ensure your deployments are properly secured. The recommendation is to update the LDAP connector to version 1.5.20.9.

Issue #202206-01 Broken Access Control

Description:

When the LDAP connector is started with StartTLS configured, unauthenticated access is granted.

Workaround:

Disable the optional StartTLS feature in the LDAP connector. Note this will result in unencrypted traffic with the LDAP connector, which can be mitigated by using LDAPS ("ssl":true, "startTLS":false). See Configure the LDAP connector to use SSL and StartTLS for further information.

However, upgrading the LDAP connector is still the recommended solution. 

Resolution:

Upgrade to LDAP connector version 1.5.20.9 or later. This can be done independently of the IDM or RCS versions currently installed. 

You can download the latest connectors from Backstage. 

See How do I upgrade the Java Remote Connector Server (RCS) for Identity Cloud and IDM? for instructions on upgrading the RCS. 

Change Log

The following table tracks changes to the security advisory: