DS/OpenDJ Security Advisory #202001
ForgeRock has discovered two Medium-level security vulnerabilities and one Low-level security vulnerability present in supported versions of ForgeRock Directory Services (DS) and OpenDJ. The vulnerabilities also affect embedded DS/OpenDJ in AM 5.x, AM 6.x and OpenAM 13.x as well as IDM 6.x.
5 readers recommend this article
May 18, 2020
ForgeRock has discovered two Medium-level security vulnerabilities and one Low-level security vulnerability present in supported versions of DS and OpenDJ. The vulnerabilities also affect embedded DS/OpenDJ in AM 5.x, AM 6.x and OpenAM 13.x as well as IDM 6.x (for more information, see What versions of DS/OpenDJ are compatible with AM/OpenAM?). Unsupported and open sourced versions of OpenDJ may also be affected. See each issue below for details on the affected supported versions.
This advisory provides guidance on how to ensure your deployments are properly secured. Customers can download cumulative patches fixing this DS/OpenDJ advisory and all previous DS/OpenDJ security advisories for all supported versions of DS and OpenDJ from BackStage.
See How do I install a DS/OpenDJ patch (All versions) supplied by ForgeRock support? for further information on deploying the patch.
Note
Customers with existing DS/OpenDJ patches must raise a ticket with ForgeRock support to obtain an updated patch: https://backstage.forgerock.com/support/tickets. If you do not have any patches or you only have an older security patch installed, you can just download the patch from BackStage.
Issue #202001-01: Proxy authorization can access inappropriate data
| Product | ForgeRock Directory Services |
|---|---|
| Affected versions | DS 5.5.0, DS 5.5.1, DS 5.5.2, DS 5.5.3, DS 6.0.0, DS 6.5.0, DS 6.5.1, DS 6.5.2, DS 6.5.3 |
| Fixed versions | DS 6.5.4, DS 7 |
| Component | Core Server, Proxy Server |
| Severity | Medium |
Description:
Accounts with the additional proxied-auth privilege, which are also allowed to use the proxy authorization controls, may be abused to access inappropriate entries and attributes in the server.
Configuration Workaround:
None.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch.
Issue #202001-02: Replication recovery can cause account state inconsistencies
| Product | ForgeRock Directory Services, OpenDJ |
|---|---|
| Affected versions | DS 5.0.0, DS 5.5.0, DS 5.5.1, DS 5.5.2, DS 5.5.3, DS 6.0.0, DS 6.5.0, DS 6.5.1, DS 6.5.2, DS 6.5.3, OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3 |
| Fixed versions | DS 6.5.4, DS 7 |
| Component | Core Server |
| Severity | Medium |
Description:
The normal replication recovery process fails to correctly replay all changes, which could cause divergences in the security state of user accounts across the replication topology.
Configuration Workaround:
None.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch.
Issue #202001-03: Extended operations disclose account state
| Product | ForgeRock Directory Services, OpenDJ |
|---|---|
| Affected versions | DS 5.0.0, DS 5.5.0, DS 5.5.1, DS 5.5.2, DS 5.5.3, DS 6.0.0, DS 6.5.0, DS 6.5.1, DS 6.5.2, DS 6.5.3, OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3 |
| Fixed versions | DS 6.5.4, DS 7 |
| Component | Core Server |
| Severity | Low |
Description:
The LDAP “Who Am I” (RFC 4532) and “Password Modify” (RFC 3062) extended operations do not correctly determine if the user can use any attached controls, which could lead to disclosure of the user’s account state.
Configuration Workaround:
None.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch.
Change Log
The following table tracks changes to the security advisory:
| Date | Description |
|---|---|
| Sept 16 2020 | Added DS 6.5.4 as fixed versions for these issues. |
| Sept 1, 2020 | Added DS 7 as fixed versions for these issues. |
| May 19, 2020 | Added "If you do not have any patches or you only have an older security patch installed, you can just download the patch from BackStage." to note for clarity. |
| May 18, 2020 | Initial release |