Security Advisory

AM Agents Security Advisory #201902

Last updated Jul 8, 2019

Security vulnerabilities have been discovered in AM Web and Java Agents. These issues are present in Agents 5.x.


July 04, 2019

Three Security vulnerabilities have been discovered in AM Web Agents and one issue has been found in AM Java Agents.

This advisory provides guidance on how to ensure your deployments can be secured. Fixes for the vulnerabilities are available in the latest releases. 

The highest rating for each component is High. Deployers should take immediate steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade to AM Web Agent 5.6.1.0 and AM Java Agent 5.6.1.0.

Customers can obtain the AM Web and Java Agents fixed version from BackStage:

Issue #201902-01: Access permitted to revoked sessions with misconfiguration

Product AM Web Agent
Affected versions 5, 5.0.x, 5.1.x, 5.5.x, 5.6.0
Fixed versions 5.6.1.0
Component Web Agent
Severity High

Description:

It is possible to start the agent when notifications are enabled, however, in the case where permissions are misconfigured they can be non-functional allowing revoked sessions to access protected resources.

Workaround:

Follow installation/documentation advice carefully regarding permissions to avoid misconfiguration of permissions.

Resolution:

The Web Agent Installer now has improvements around run-time and install-time permission checking. Update/Upgrade to a fixed version to receive them.

Issue #201902-02: Polymorphic typing issue could lead to local file access

Product AM Java Agent
Affected versions 5, 5.0.x, 5.1.x, 5.5.x, 5.6.0
Fixed versions 5.6.1.0
Component Java Agent
Severity High

Description:

A remote user in specific circumstances (outlined in CVE-2018-12086) can access local files. This does not affect the Java Agent because default typing is not used, thus mitigating the attack. However, this may be flagged during a dependency check; if this happens, it can be marked as a False Positive.

Workaround:

N/A

Resolution:

The Jackson-Databind library dependency has been updated to version 2.9.8. Update/upgrade to a fixed version, which includes this updated library.

Reference:

https://nvd.nist.gov/vuln/detail/CVE-2019-12086

Issue #201902-03: Heap inspection issues

Product AM Web Agent
Affected versions 5, 5.0.x ,5.1.x, 5.5.x, 5.6.0
Fixed versions 5.6.1.0
Component Web Agent
Severity Medium

Description:

Local attackers may be able to gain information by inspecting the heap memory in some circumstances.

Workaround:

Local security policies.

Resolution:

Update/upgrade to a fixed version.

Issue #201902-04: String operations could lead to agent crash

Product AM Web Agent
Affected versions 5, 5.0.x, 5.1.x, 5.5.x, 5.6.0
Fixed versions 5.6.1.0
Component Core Server
Severity Medium

Description:

Tightens validation of String operations, which were already using reasonable safeguards according to best practice.

Workaround:

N/A

Resolution:

Update/Upgrade to a fixed version.

Change Log

The following table tracks changes to the security advisory:

Date  Description
8th July 2019

Reworded description in Issue #201902-02 to clarify that the Java agent is not affected but it may be flagged in a dependency check. 

Minor cosmetic changes.

4th July 2019 Initial release


Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...