Security Advisory
ForgeRock Identity Platform
ForgeRock Identity Cloud

Web and Java Agents Security Advisory #202302

Last updated Mar 8, 2023

A security vulnerability has been discovered in supported versions of Web and Java Agents. This vulnerability affects versions 5.10.1 and earlier, and could be present in older unsupported versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory. This advisory does not apply to Identity Gateway (IG), which is not impacted.

3 readers recommend this article
Identity Cloud customers

If you have integrated Agents with Identity Cloud, you should secure your Web or Java Agents as recommended in this security advisory.

February 22, 2023

A security vulnerability has been discovered in supported versions of Web and Java Agents. This vulnerability affects versions 5.10.1 and earlier, and could be present in older unsupported versions.

The maximum severity of issues in this advisory is Critical.

Note

The advice is to upgrade to the latest version to fix these issues. Alternatively, if that’s not possible at this time, you can apply the mitigation listed.

Details about this vulnerability are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.

See Upgrade Web Agent and Upgrade Java Agent for upgrade instructions.

Issue #202302-01 (CVE-2023-0339 Web Agent) (CVE-2023-0511 Java Agent)

Affected versions

Web Agents 5.10.1 and earlier (all supported versions and perhaps older unsupported versions)

Java Agents 5.10.1 and earlier (all supported versions and perhaps older unsupported versions)
Fixed versions

Web Agents 5.10.2

Java Agents 5.10.2
Component Web Agents, Java Agents
Severity Critical

Description:

A critical severity Relative Path Traversal (CWE-23) vulnerability has been discovered in supported versions of Agents that can lead to unauthorized access. 

Mitigation:

You can mitigate this vulnerability by restricting unusual URLs. See How do I reject unusual URLs with dot segments in Agents (All versions)? for further information.

Resolution:

Upgrade to a fixed version.

Acknowledgments

Robert Byrne (https://www.ericsson.com/en/security/psirt)

See Also

CVE-2023-0339

CVE-2023-0511

Change Log

The following table tracks changes to the security advisory:

Date  Description
March 8, 2023 Added Acknowledgments section
February 28, 2023 Added CVE information for Web and Java agents
February 22, 2023 Initial release
Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.