Content Center

Web and Java Agents Security Advisory #202302

Last updated Jun 14, 2023

A security vulnerability has been discovered in supported versions of Web and Java Agents. This vulnerability affects versions 5.10.1 and earlier, and could be present in older unsupported versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory. This advisory does not apply to Identity Gateway (IG), which is not impacted.

Identity Cloud customers

If you have integrated Agents with Identity Cloud, you should secure your Web or Java Agents as recommended in this security advisory.

February 22, 2023

A security vulnerability has been discovered in supported versions of Web and Java Agents. This vulnerability affects versions 5.10.1 and earlier, and could be present in older unsupported versions.

The maximum severity of issues in this advisory is Critical.

Note

The advice is to upgrade to the latest version to fix these issues. Alternatively, if that’s not possible at this time, you can apply the mitigation listed.

Details about this vulnerability are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.

See Upgrade Web Agent and Upgrade Java Agent for upgrade instructions.

Issue #202302-01 (CVE-2023-0339 Web Agent) (CVE-2023-0511 Java Agent)

Affected versions

Web Agents 5.10.1 and earlier (all supported versions and perhaps older unsupported versions)

Java Agents 5.10.1 and earlier (all supported versions and perhaps older unsupported versions)
Fixed versions

Web Agents 2023.3, Web Agents 5.10.2

Java Agents 2023.3, Java Agents 5.10.2
Component Web Agents, Java Agents
Severity Critical

Description:

A critical severity Relative Path Traversal (CWE-23) vulnerability has been discovered in supported versions of Agents that can lead to unauthorized access. 

Mitigation:

You can mitigate this vulnerability by restricting unusual URLs. See How do I reject unusual URLs with dot segments in Agents? for further information.

Resolution:

Upgrade to a fixed version.

Acknowledgments

Robert Byrne (https://www.ericsson.com/en/security/psirt)

See Also

CVE-2023-0339

CVE-2023-0511

Change Log

The following table tracks changes to the security advisory:

Date  Description
June 14, 2023 Corrected doc link
April 18, 2023 Updated tags to improve search
March 28, 2023 Added Web Agents 2023.3 and Java Agents 2023.3 as fixed versions
March 8, 2023 Added Acknowledgments section
February 28, 2023 Added CVE information for Web and Java agents
February 22, 2023 Initial release
Copyright and Trademarks Copyright © undefined ForgeRock, all rights reserved.
In this article

Visit our Community

Have questions? Find answers from our worldwide Community of experts!