DS/OpenDJ Security Advisory #201803

August 28, 2018

ForgeRock has discovered a Medium-level security vulnerability in DS 5.0.0, 5.5.0, 5.5.1, 6.0.0 and in OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3. The vulnerability also affects embedded DS/OpenDJ in AM 5.x, AM 6.0 and OpenAM 13.x as well as IDM 6.0 (for more information, see What versions of DS are compatible with AM?).

This advisory provides guidance on how to ensure your deployments can be secured. The recommendation is to deploy the relevant patch or upgrade to DS 5.5.2. See How do I install a DS patch (All versions) supplied by ForgeRock support? for further information on deploying the patch.

Customers can download a cumulative patch fixing this issue and all previous security advisories for DS 5.0.0, 5.5.0, 5.5.1, 6.0.0 and OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3 from BackStage.

Issue #201803-01: Locked accounts are vulnerable to password guessing attacks

Description:

The password policy response control is returned incorrectly when an account is locked and a bind operation for the account includes the correct password. As a result, it is possible to brute force a locked account’s password even after it has been locked due to too many authentication failures.

Workaround:

None.

Resolution:

Update/upgrade to DS 5.5.2 or deploy the relevant patch bundle.

Change Log

The following table tracks changes to the security advisory: