August 28, 2018
ForgeRock has discovered a Medium-level security vulnerability in DS 5.0.0, 5.5.0, 5.5.1, 6.0.0 and in OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3. The vulnerability also affects embedded DS/OpenDJ in AM 5.x, AM 6.0 and OpenAM 13.x as well as IDM 6.0 (for more information, see What versions of DS are compatible with AM?).
This advisory provides guidance on how to ensure your deployments can be secured. The recommendation is to deploy the relevant patch or upgrade to DS 5.5.2. See How do I install a DS patch (All versions) supplied by ForgeRock support? for further information on deploying the patch.
Customers can download a cumulative patch fixing this issue and all previous security advisories for DS 5.0.0, 5.5.0, 5.5.1, 6.0.0 and OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3 from BackStage.
Customers with existing DS/OpenDJ patches must raise a ticket with ForgeRock support to obtain an updated patch: https://backstage.forgerock.com/support/tickets.
Issue #201803-01: Locked accounts are vulnerable to password guessing attacks
|Product||ForgeRock Directory Services, OpenDJ|
|Affected versions||DS 5.0.0, 5.5.0, 5.5.1, 6.0.0, OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3|
|Fixed versions||DS 5.5.2|
The password policy response control is returned incorrectly when an account is locked and a bind operation for the account includes the correct password. As a result, it is possible to brute force a locked account’s password even after it has been locked due to too many authentication failures.
Update/upgrade to DS 5.5.2 or deploy the relevant patch bundle.
The following table tracks changes to the security advisory:
|February 24, 2021||Added ForgeRock Identity Platform taxon to improve categorization|
|October 22, 2018||Added DS 5.5.2 as a fixed version|
|August 28, 2018||Initial release|