Security Advisory
ForgeRock Identity Platform
ForgeRock Identity Cloud

Web and Java Agents Security Advisory #202201

Last updated Aug 18, 2022

A security vulnerability has been discovered in supported versions of Web and Java Agents when using specific configurations. This vulnerability affects versions: Web Agent 5.6.1.0 - 5.9.0, and Java Agent 5.7.1, 5.8.0, 5.8.1 and 5.9.0. It could be present in older unsupported versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory.

Identity Cloud customers

If you have integrated Agents with Identity Cloud, you should secure your Web or Java Agents as recommended in this security advisory.

January 24, 2022

A security vulnerability has been discovered in supported versions of Web and Java Agents when using specific configurations. This vulnerability affects versions: Web Agent 5.6.1.0 - 5.9.0, and Java Agent 5.7.1, 5.8.0, 5.8.1 and 5.9.0. It could be present in older unsupported versions.

The maximum severity of issues in this advisory is Medium.

Note

The advice is to upgrade. In some cases, a workaround is given, which may be suitable, but an upgrade to the latest version is the recommended approach.

Details about this vulnerability are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.

See Upgrade Web Agent and Upgrade Java Agent for upgrade instructions.

Issue #202201-01

Affected versions

Web Agent: 5.6.1.0, 5.6.1.1, 5.6.2.0, 5.6.2.1, 5.7.0, 5.7.1, 5.8.0, 5.8.1, 5.8.2, 5.8.2.1, 5.9.0

Java Agent: 5.7.1, 5.8.0, 5.8.1, 5.8.2, 5.8.2.1, 5.9.0
Fixed versions Web Agent 5.9.1, Java Agent 5.9.1
Component Web Agent, Java Agent
Severity Medium

Description:

Using the Accept SSO Token mode or Accept SSO token cookie (deprecated) in the Web Agent, or the non-default Enable SSO Token Acceptance mode in the Java Agent, the Agent does not correctly invalidate the SSO session with Identity Cloud or AM. For Web Agents, Disable Logout Redirection must also be set to true.

Workaround:

Set Disable Logout Redirection to false (default) on the Web Agent, or set Enable SSO Token Acceptance to false (default) for the Java Agent.

Resolution:

Upgrade to a fixed version.

Change Log

The following table tracks changes to the security advisory:

Date  Description
August 18, 2022 No changes to content - just corrected Backstage link
February 10, 2022 Fixed broken upgrade documentation link
January 24, 2022 Initial release
Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.