DS/OpenDJ Security Advisory #201803
ForgeRock has discovered a Medium-level security vulnerability in ForgeRock Directory Services (DS) 5.0.0, 5.5.0, 5.5.1, 6.0.0 and in OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3. The vulnerability also affects embedded DS/OpenDJ in AM 5.x, AM 6.0 and OpenAM 13.x as well as IDM 6.0.
August 28, 2018
ForgeRock has discovered a Medium-level security vulnerability in DS 5.0.0, 5.5.0, 5.5.1, 6.0.0 and in OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3. The vulnerability also affects embedded DS/OpenDJ in AM 5.x, AM 6.0 and OpenAM 13.x as well as IDM 6.0 (for more information, see What versions of DS/OpenDJ are compatible with AM/OpenAM?).
This advisory provides guidance on how to ensure your deployments can be secured. The recommendation is to deploy the relevant patch or upgrade to DS 5.5.2. See How do I install a DS/OpenDJ patch (All versions) supplied by ForgeRock support? for further information on deploying the patch.
Customers can download a cumulative patch fixing this issue and all previous security advisories for DS 5.0.0, 5.5.0, 5.5.1, 6.0.0 and OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3 from BackStage.
Note
Customers with existing DS/OpenDJ patches must raise a ticket with ForgeRock support to obtain an updated patch: https://backstage.forgerock.com/support/tickets.
Issue #201803-01: Locked accounts are vulnerable to password guessing attacks
Product | ForgeRock Directory Services, OpenDJ |
---|---|
Affected versions | DS 5.0.0, 5.5.0, 5.5.1, 6.0.0, OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3 |
Fixed versions | DS 5.5.2 |
Component | Core Server |
Severity | Medium |
Description:
The password policy response control is returned incorrectly when an account is locked and a bind operation for the account includes the correct password. As a result, it is possible to brute force a locked account’s password even after it has been locked due to too many authentication failures.
Workaround:
None.
Resolution:
Update/upgrade to DS 5.5.2 or deploy the relevant patch bundle.
Change Log
The following table tracks changes to the security advisory:
Date | Description |
---|---|
October 22, 2018 | Added DS 5.5.2 as a fixed version |
August 28, 2018 | Initial release |