Security Advisory

DS/OpenDJ Security Advisory #201803

Last updated Oct 22, 2018

ForgeRock has discovered a Medium-level security vulnerability in ForgeRock Directory Services (DS) 5.0.0, 5.5.0, 5.5.1, 6.0.0 and in OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3. The vulnerability also affects embedded DS/OpenDJ in AM 5.x, AM 6.0 and OpenAM 13.x as well as IDM 6.0.


August 28, 2018

ForgeRock has discovered a Medium-level security vulnerability in DS 5.0.0, 5.5.0, 5.5.1, 6.0.0 and in OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3. The vulnerability also affects embedded DS/OpenDJ in AM 5.x, AM 6.0 and OpenAM 13.x as well as IDM 6.0 (for more information, see What versions of DS/OpenDJ are compatible with AM/OpenAM?).

This advisory provides guidance on how to ensure your deployments can be secured. The recommendation is to deploy the relevant patch or upgrade to DS 5.5.2. See How do I install a DS/OpenDJ patch (All versions) supplied by ForgeRock support? for further information on deploying the patch.

Customers can download a cumulative patch fixing this issue and all previous security advisories for DS 5.0.0, 5.5.0, 5.5.1, 6.0.0 and OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3 from BackStage.

Note

Customers with existing DS/OpenDJ patches must raise a ticket with ForgeRock support to obtain an updated patch: https://backstage.forgerock.com/support/tickets.

Issue #201803-01: Locked accounts are vulnerable to password guessing attacks

Product ForgeRock Directory Services, OpenDJ
Affected versions DS 5.0.0, 5.5.0, 5.5.1, 6.0.0, OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3
Fixed versions DS 5.5.2
Component Core Server
Severity Medium

Description:

The password policy response control is returned incorrectly when an account is locked and a bind operation for the account includes the correct password. As a result, it is possible to brute force a locked account’s password even after it has been locked due to too many authentication failures.

Workaround:

None.

Resolution:

Update/upgrade to DS 5.5.2 or deploy the relevant patch bundle.

Change Log

The following table tracks changes to the security advisory:

Date  Description
October 22, 2018  Added DS 5.5.2 as a fixed version
August 28, 2018 Initial release


Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.
Loading...