IDM Security Advisory #202208
A security vulnerability has been discovered in a dependency present in version 7.2.1 of Identity Management (IDM) as well as versions 1.5.20.8 and 1.5.20.9 of the CSV Connector. The vulnerability is not known to be exploitable in the context of IDM; however, you should still secure your deployments at the earliest opportunity as outlined in this security advisory.
Identity Cloud customers
The CSV connector is not included with ForgeRock Identity Cloud. However, if a customer is using the Java Remote Connector Server (RCS) in their environment, the CSV connector needs to be secured as recommended in this security advisory.
October 27, 2022
A security vulnerability has been discovered in one supported version of IDM as well as separate downloadable components. This vulnerability affects versions 1.5.20.8 and 1.5.20.9 of the CSV connector.
- Version 1.5.20.9 of the CSV connector is included in IDM 7.2.1, so that version is also impacted.
- Versions 1.5.20.8 and 1.5.20.9 of the Java Remote Connector Server (RCS) also include the vulnerable version of the CSV connector, and for that reason, are also impacted.
The vulnerability is within a separate dependency of the CSV connector (Apache Commons Text version 1.9) CVE-2022-42889 which has a severity of 9.8. However, it is ForgeRock's belief that the vulnerability has no practical exploitation within IDM or via the RCS; this reduces the severity of the vulnerability considerably.
Customers who still wish to take immediate action can do so by upgrading to the latest version 1.5.20.11.
Note
Details about this vulnerability are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.
Issue #202208-01:
| Affected versions | IDM 7.2.1; CSV Connector 1.5.20.8 and 1.5.20.9; Java RCS 1.5.20.8 and 1.5.20.9 |
|---|---|
| Fixed versions | CSV Connector 1.5.20.11 |
| Component | Connector |
| Severity | 9.8 |
Description:
The CSV Connector includes a vulnerable third-party library.
Workaround:
Downgrade the CSV Connector to version 1.5.20.2.
The high level steps to downgrade are:
- Download version 1.5.20.2 of the CSV connector version from Backstage.
- Delete the impacted CSV connector jar from either the IDM 7.2.1 /connectors directory or the RCS /connectors directory, and replace it with the csvfile-connector-1.5.20.2.jar.
- Adjust your provisioner configuration accordingly; the
bundleVersionmust reference the updated connector version.
If you are using the RCS, see How do I upgrade the Java Remote Connector Server (RCS) for Identity Cloud and IDM? for further information on updating your connector.
Resolution:
Upgrade the CSV Connector to version 1.5.20.11.
The high level steps to upgrade are:
- Download version 1.5.20.11 of the CSV connector version from Backstage.
- Delete the impacted CSV connector jar from either the IDM 7.2.1 /connectors directory or the RCS /connectors directory, and replace it with the csvfile-connector-1.5.20.11.jar.
- Adjust your provisioner configuration accordingly; the
bundleVersionmust reference the updated connector version.
If you are using the RCS, see How do I upgrade the Java Remote Connector Server (RCS) for Identity Cloud and IDM? for instructions on upgrading the connector.
See Also
Change Log
The following table tracks changes to the security advisory:
| Date | Description |
|---|---|
| November 4, 2022 | Updated article to include the just released fixed version of the CSV connector 1.5.20.11 and added the CVE reference for the Apache vulnerability. |
| October 27, 2022 | Initial release |