Web Agents Security Advisory #201802
A Security vulnerability has been discovered in the AM Web Agent component. This issue is present in the Web Agent 5.0 release. Earlier Web agents, and the community editions, are not affected.
January 18, 2018
A Security vulnerability has been discovered in the AM Web Agent component. This issue is present in the Web Agent 5.0 release. Earlier Web agents, and the community editions, are not affected.
This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available for all of the issues.
The maximum severity of issues in this advisory is Medium. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.
The recommendation is to deploy the relevant revised agent build, version 5.0.0.1 (in accordance with ForgeRock’s ForgeRock Maintenance Release and Patch Policy). This is an update to the main release:
- Web Agent 5.0
Customers can obtain this patched agent from Backstage.
Issue #201802-01: Single Sign On Access Vulnerability
| Product | AM |
|---|---|
| Affected versions | 5.0 |
| Fixed versions | 5.0.0.1 |
| Component | Web Agent |
| Severity | Medium |
Description:
When using ‘SSO Only’ mode, it is possible to still access protected resources following user logout.
Workaround:
Do not use SSO Only mode.
Resolution:
Update/upgrade to the fixed version of the Web Agent, 5.0.0.1 or later.
Change Log
The following table tracks changes to the security advisory:
| Date | Description |
|---|---|
| August 18, 2022 | No changes to content - just corrected Backstage link |
| February 24, 2021 | Added ForgeRock Identity Platform taxon to improve categorization |