August 28, 2018
ForgeRock has discovered a Medium-level security vulnerability in DS 5.0.0, 5.5.0, 5.5.1, 6.0.0 and in OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3. The vulnerability also affects embedded DS/OpenDJ in AM 5.x, AM 6.0 and OpenAM 13.x as well as IDM 6.0 (for more information, see What versions of DS/OpenDJ are compatible with AM/OpenAM?).
This advisory provides guidance on how to ensure your deployments can be secured. The recommendation is to deploy the relevant patch or upgrade to DS 5.5.2. See How do I install a DS/OpenDJ patch (All versions) supplied by ForgeRock support? for further information on deploying the patch.
Customers can download a cumulative patch fixing this issue and all previous security advisories for DS 5.0.0, 5.5.0, 5.5.1, 6.0.0 and OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3 from BackStage.
Customers with existing DS/OpenDJ patches must raise a ticket with ForgeRock support to obtain an updated patch: https://backstage.forgerock.com/support/tickets.
Issue #201803-01: Locked accounts are vulnerable to password guessing attacks
|Product||ForgeRock Directory Services, OpenDJ|
|Affected versions||DS 5.0.0, 5.5.0, 5.5.1, 6.0.0, OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3|
|Fixed versions||DS 5.5.2|
The password policy response control is returned incorrectly when an account is locked and a bind operation for the account includes the correct password. As a result, it is possible to brute force a locked account’s password even after it has been locked due to too many authentication failures.
Update/upgrade to DS 5.5.2 or deploy the relevant patch bundle.
The following table tracks changes to the security advisory:
|October 22, 2018||Added DS 5.5.2 as a fixed version|
|August 28, 2018||Initial release|