AM Security Advisory #202301
A security vulnerability has been reported in the patches for AM 7.x versions of the #202207 security advisory. This #202301 security advisory applies to customers who have already obtained and/or applied a 202207 AM 7.x patch before February 8th, 2023. It also addresses the original security issue from #202207.
Identity Cloud customers
This security advisory does not apply to the ForgeRock Identity Cloud. This security advisory only applies to software deployments of the ForgeRock Identity Platform.
February 2, 2023
A security vulnerability has been reported in the patches for AM 7.x versions of the #202207 security advisory. This #202301 security advisory applies to customers who have already obtained and/or applied a 202207 AM 7.x patch before February 8th, 2023. It also addresses the original security issue from #202207.
The maximum severity of issues in this advisory is Critical.
Note
The advice is to upgrade to the latest version to fix these issues. Alternatively, if that’s not possible at this time, you can apply one of the patches to mitigate these issues.
You should apply the #202301 version of the patch for all versions of AM 7.x and not apply #202207 patches. For Customers who had already raised a ticket for a custom 7.x patch, updated 202301 versions of those patches are being issued via the original support tickets.
If you have already applied the #202207 patch, please remove it immediately and replace it with a #202301 patch. An example of how to remove patches is outlined in the following knowledge base article: How do I install a PingAM (AM) patch supplied by Ping support?
You can download updated patches from Backstage for the following AM versions:
The patches address both the original #202207 as well as the #202301 issues.
See How do I install a PingAM (AM) patch supplied by Ping support? for further information on deploying the patch.
If you need a patch for a different version or you have existing patches, please raise a support ticket to obtain an updated patch; you should provide details of your existing patches when you raise the ticket to ensure we have the relevant details. See How do I use the patchinfo utility to check what patches are installed for PingAM or PingGateway? or How do I check what patches are installed for Ping Identity Platform products? for further information.
Issue #202301-01 - Improper Authorization (CWE-285) - (CVE-2022-3748)
| Affected versions | AM 7.0.x, AM 7.1, AM 7.1.1, AM 7.1.2, AM 7.1.3 and AM 7.2 versions with the #202207 patch (downloaded from Backstage or a support provided custom patch). |
|---|---|
| Fixed versions | AM 7.1.4, AM 7.2.1, AM 7.3 and later versions |
| Component | Core Server |
| Severity | Critical |
Description:
A critical severity Improper Authorization (CWE-285) vulnerability has been discovered in some versions of AM that can lead to user account impersonation and takeover.
Mitigation:
None.
Resolution:
Please remove the previously installed #202207 patch (if downloaded prior to Feb 10, 2023) and apply the appropriate updated #202301 patch.
See Also
Change Log
The following table tracks changes to the security advisory:
| Date | Description |
|---|---|
| June 6, 2024 | Added “and later versions” to the Fixed versions |
| Sept 25, 2023 | Added AM 7.1.4 as a fixed version |
| April 24, 2023 | Clarified which AM 7 versions are affected now some are fixed |
| April 18, 2023 | Updated tags to improve search |
| April 14, 2023 | Added CVE information |
| April 13, 2023 | Made advisory available to everyone |
| April 5, 2023 | Added fixed versions (AM 7.2.1, AM 7.3) |
| February 10, 2023 | Added patches and updated content for AM 7.2.0, AM 7.1.3 and AM 7.1.2 |
| February 6, 2023 | Expanded visibility of this advisory to all AM customers |
| February 3, 2023 | Expanded affected versions from 7.0.0-7.1.2 to now include all versions of 7.x |
| February 2, 2023 | Initial release |