AM Agents Security Advisory #201902
Security vulnerabilities have been discovered in AM Web and Java Agents. These issues are present in Agents 5.x.
July 04, 2019
Three Security vulnerabilities have been discovered in AM Web Agents and one issue has been found in AM Java Agents.
This advisory provides guidance on how to ensure your deployments can be secured. Fixes for the vulnerabilities are available in the latest releases.
The highest rating for each component is High. Deployers should take immediate steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.
The recommendation is to upgrade to AM Web Agent 5.6.1.0 and AM Java Agent 5.6.1.0.
Customers can obtain the AM Web and Java Agents fixed version from Backstage:
Issue #201902-01: Access permitted to revoked sessions with misconfiguration
| Product | AM Web Agent |
|---|---|
| Affected versions | 5, 5.0.x, 5.1.x, 5.5.x, 5.6.0 |
| Fixed versions | 5.6.1.0 |
| Component | Web Agent |
| Severity | High |
Description:
It is possible to start the agent when notifications are enabled, however, in the case where permissions are misconfigured they can be non-functional allowing revoked sessions to access protected resources.
Workaround:
Follow installation/documentation advice carefully regarding permissions to avoid misconfiguration of permissions.
Resolution:
The Web Agent Installer now has improvements around run-time and install-time permission checking. Update/Upgrade to a fixed version to receive them.
Issue #201902-02: Polymorphic typing issue could lead to local file access
| Product | AM Java Agent |
|---|---|
| Affected versions | 5, 5.0.x, 5.1.x, 5.5.x, 5.6.0 |
| Fixed versions | 5.6.1.0 |
| Component | Java Agent |
| Severity | High |
Description:
A remote user in specific circumstances (outlined in CVE-2018-12086) can access local files. This does not affect the Java Agent because default typing is not used, thus mitigating the attack. However, this may be flagged during a dependency check; if this happens, it can be marked as a False Positive.
Workaround:
N/A
Resolution:
The Jackson-Databind library dependency has been updated to version 2.9.8. Update/upgrade to a fixed version, which includes this updated library.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2019-12086
Issue #201902-03: Heap inspection issues
| Product | AM Web Agent |
|---|---|
| Affected versions | 5, 5.0.x ,5.1.x, 5.5.x, 5.6.0 |
| Fixed versions | 5.6.1.0 |
| Component | Web Agent |
| Severity | Medium |
Description:
Local attackers may be able to gain information by inspecting the heap memory in some circumstances.
Workaround:
Local security policies.
Resolution:
Update/upgrade to a fixed version.
Issue #201902-04: String operations could lead to agent crash
| Product | AM Web Agent |
|---|---|
| Affected versions | 5, 5.0.x, 5.1.x, 5.5.x, 5.6.0 |
| Fixed versions | 5.6.1.0 |
| Component | Core Server |
| Severity | Medium |
Description:
Tightens validation of String operations, which were already using reasonable safeguards according to best practice.
Workaround:
N/A
Resolution:
Update/Upgrade to a fixed version.
Change Log
The following table tracks changes to the security advisory:
| Date | Description |
|---|---|
| August 18, 2022 | No changes to content - just corrected Backstage link |
| February 24, 2021 | Added ForgeRock Identity Platform taxon to improve categorization |
| 8th July 2019 |
Reworded description in Issue #201902-02 to clarify that the Java agent is not affected but it may be flagged in a dependency check. Minor cosmetic changes. |
| 4th July 2019 | Initial release |