Security Advisory

DS/OpenDJ Security Advisory #202001

Last updated May 19, 2020

ForgeRock has discovered two Medium-level security vulnerabilities and one Low-level security vulnerability present in supported versions of ForgeRock Directory Services (DS) and OpenDJ. The vulnerabilities also affect embedded DS/OpenDJ in AM 5.x, AM 6.x and OpenAM 13.x as well as IDM 6.x.


5 readers recommend this article

May 18, 2020

ForgeRock has discovered two Medium-level security vulnerabilities and one Low-level security vulnerability present in supported versions of DS and OpenDJ. The vulnerabilities also affect embedded DS/OpenDJ in AM 5.x, AM 6.x and OpenAM 13.x as well as IDM 6.x (for more information, see What versions of DS/OpenDJ are compatible with AM/OpenAM?). Unsupported and open sourced versions of OpenDJ may also be affected. See each issue below for details on the affected supported versions.

This advisory provides guidance on how to ensure your deployments are properly secured. Customers can download cumulative patches fixing this DS/OpenDJ advisory and all previous DS/OpenDJ security advisories for all supported versions of DS and OpenDJ from BackStage

See How do I install a DS/OpenDJ patch (All versions) supplied by ForgeRock support? for further information on deploying the patch.

Note

Customers with existing DS/OpenDJ patches must raise a ticket with ForgeRock support to obtain an updated patch: https://backstage.forgerock.com/support/tickets. If you do not have any patches or you only have an older security patch installed, you can just download the patch from BackStage.

Issue #202001-01: Proxy authorization can access inappropriate data

Product ForgeRock Directory Services
Affected versions DS 5.5.0, DS 5.5.1, DS 5.5.2, DS 5.5.3, DS 6.0.0, DS 6.5.0, DS 6.5.1, DS 6.5.2, DS 6.5.3
Fixed versions N/A
Component Core Server,  Proxy Server
Severity Medium

Description:

Accounts with the additional proxied-auth privilege, which are also allowed to use the proxy authorization controls, may be abused to access inappropriate entries and attributes in the server.

Configuration Workaround:

None.

Resolution:

Deploy the relevant patch.

Issue #202001-02: Replication recovery can cause account state inconsistencies

Product ForgeRock Directory Services, OpenDJ
Affected versions DS 5.0.0, DS 5.5.0, DS 5.5.1, DS 5.5.2, DS 5.5.3, DS 6.0.0, DS 6.5.0, DS 6.5.1, DS 6.5.2, DS 6.5.3, OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3
Fixed versions N/A
Component Core Server
Severity Medium

Description:

The normal replication recovery process fails to correctly replay all changes, which could cause divergences in the security state of user accounts across the replication topology.

Configuration Workaround:

None.

Resolution:

Deploy the relevant patch.

Issue #202001-03: Extended operations disclose account state

Product ForgeRock Directory Services, OpenDJ
Affected versions DS 5.0.0, DS 5.5.0, DS 5.5.1, DS 5.5.2, DS 5.5.3, DS 6.0.0, DS 6.5.0, DS 6.5.1, DS 6.5.2, DS 6.5.3, OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3
Fixed versions N/A
Component Core Server
Severity Low

Description:

The LDAP “Who Am I” (RFC 4532) and “Password Modify” (RFC 3062) extended operations do not correctly determine if the user can use any attached controls, which could lead to disclosure of the user’s account state.

Configuration Workaround:

None.

Resolution:

Deploy the relevant patch.

Change Log

The following table tracks changes to the security advisory:

Date  Description
May 19, 2020 Added "If you do not have any patches or you only have an older security patch installed, you can just download the patch from BackStage." to note for clarity.
May 18, 2020 Initial release


Copyright and TrademarksCopyright © 2020 ForgeRock, all rights reserved.
Loading...