Security Advisory
ForgeRock Identity Platform
Does not apply to Identity Cloud

Log4j Security Advisory #202111

Last updated Aug 19, 2022

The purpose of this advisory is to provide information on whether ForgeRock products (Identity Cloud, AM, DS, IDM, IG, Agents and Autonomous Identity) are vulnerable to recent Log4j 2 vulnerabilities: RCE (Remote Code Execution) CVE-2021-44228, DoS (Denial of Service) CVE-2021-45046, DoS CVE-2021-45105 and ACE (Arbitrary Code Execution) CVE-2021-44832. These vulnerabilities allow an attacker to remotely execute code in certain circumstances.

9 readers recommend this article

December 10, 2021

A number of vulnerabilities have recently been discovered that impact multiple versions of the Apache Log4j 2 utility: 

Vulnerability Severity Rating CVSS Score Affected Versions Fixed Version Other Information
CVE-2021-44228 Critical 10 2.0 to 2.14.1 2.15.0 Disclosed publicly via the project’s GitHub on December 9, 2021
CVE-2021-45046 Critical 9 2.0 to 2.15.0 (excluding 2.12.2) 2.16.0  
CVE-2021-45105 High 7.5 2.0 to 2.16.0 2.17.0  
CVE-2021-44832 Medium 6.6 2.0 to 2.17.0 (excluding 2.3.2 and 2.12.4) 2.17.1  
CVE-2019-17571 Critical 9.8 1.2 to 1.2.17   Included with Apache Spark and Apache Livy
CVE-2021-4104 High 7.5 1.2   Included with Apache Spark and Apache Livy

Customers should check the CVEs for the latest vulnerable versions.


New releases of Autonomous Identity that include Log4j 2.17 have been made available on December 22nd, 2021. 

The only ForgeRock product that utilizes Log4j is Autonomous Identity, which now has patched releases that remedy the three Critical and High vulnerabilities. None of the other currently supported ForgeRock products, including Identity Cloud, AM, DS, IDM, IG and Agents, are affected by these vulnerabilities. ForgeRock continues to actively investigate any other possible uses of this library but none are known at this time.

The SecurID authentication module uses the Log4j library (which is supplied by RSA but no longer supported). You should not use this module unless RSA provides a fixed version of this library. See RSA Customer Advisory: Apache Vulnerability | Log4j2 (CVE-2021-44228) for the latest information from RSA.

Customers are responsible for checking for any use of Log4j in their servlet/application container and any custom code (including Marketplace contributions) that they have deployed. 

ForgeRock products

All currently supported versions of the ForgeRock Identity Platform (AM, DS, IDM, IG & AM Agents) are not vulnerable to Log4j as ForgeRock does not ship with this library. Review ForgeRock End of Service Life (EOSL) Policy and EOSL Dates | AM, DS and IDM for details of currently supported versions. 

Older, end of life, versions of the ForgeRock Identity Platform could be vulnerable. However, due to the age and lack of vendor support for libraries, they cannot be patched to ensure they are no longer vulnerable to the Log4j attacks.

Product Supported Versions Vulnerable Details
Autonomous Identity 2020.10, 2021.3, 2021.8 Yes

The newest releases address the following vulnerabilities: CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105

Release Notes:


Autonomous Identity does not use a JDBC appender for logging, which means it is not affected by CVE-2021-44832. 

NOTE: There are some additional vulnerabilities that have been discovered in Log4j (version 1) that are not patched in the above releases. Please see the section Log4j version 1 below for remediation instructions.

AM 6.x, 7.x No N/A
DS 6.x, 7.x No N/A
IDM 6.x, 7.x No N/A
IG 6.x, 7.x No N/A
Agents 5.x No N/A


Autonomous Identity customers should update to the latest patch release (see release notes in the table above).

For standard installations of the ForgeRock Identity Platform (AM, DS, IDM, IG and Agents), you should check to see if your servlet/application containers have any vulnerabilities by contacting the vendor of the servlet being used. The servlet/application container you install for deploying AM needs to be checked to make sure it is not vulnerable. The default recommended container of Apache Tomcat is not vulnerable as it does not use Log4j. 

For custom installations of the ForgeRock Identity Platform that include components that utilize either log4j or log4j-api libraries, you should:

  • Contact the component vendor for additional information.
  • Check to see if your servlet/application containers have any vulnerabilities by contacting the vendor of the servlet being used.
  • Follow the advice from Apache by upgrading your Log4j version(s) to 2.17.1 or later, or by implementing one of their mitigations as outlined here: Apache Log4j Security Vulnerabilities.

For older ForgeRock products that are no longer supported, we strongly recommend you upgrade to a newer, supported version.

Log4j version 1

The main vulnerabilities of concern do not apply to Log4j 1 versions. However, Autonomous Identity contains some third-party libraries that include Log4j version 1. Those libraries are Apache Spark 3.2 and Apache Livy and will not be updated by Apache. The vulnerable libraries can be modified by removing the vulnerable classes.

Follow these steps to remove the vulnerable classes from the Apache libraries:

  1. Ensure no analytics are running.
  2. Stop Apache Spark: 
    1. Find the process id  ps aux | grep spark
    2. Kill the processsudo kill pid1

Repeat on all the Apache Spark nodes.

  1. Stop Apache Livy: /opt/autoid/apache-livy/apache-livy-0.8.0-incubating-SNAPSHOT-bin/bin/livy-server stop
  2. Run the following commands to remove the problematic classes from the jars:  zip -d /opt/autoid/spark/spark-3.0.1-bin-hadoop2.7/jars/log4j-1.2.17.jar org/apache/log4j/net/SocketServer.class zip -d /opt/autoid/spark/spark-3.0.1-bin-hadoop2.7/jars/log4j-1.2.17.jar org/apache/log4j/net/JMSAppender.class zip -d /opt/autoid/apache-livy/apache-livy-0.8.0-incubating-SNAPSHOT-bin/jars/log4j-1.2.16.jar org/apache/log4j/net/SocketServer.class zip -d /opt/autoid/apache-livy/apache-livy-0.8.0-incubating-SNAPSHOT-bin/jars/log4j-1.2.16.jar org/apache/log4j/net/JMSAppender.class Repeat on all the Apache Spark nodes.
  3. Start Apache Spark:     
    • On Master node: /opt/autoid/spark/spark-3.0.1-bin-hadoop2.7/sbin/ -i {{ spark_master_ip }}
    • On Worker nodes: /opt/autoid/spark/spark-3.0.1-bin-hadoop2.7/sbin/ {{ spark_master_ip }}:7077
  4. Start Apache Livy:/opt/autoid/apache-livy/apache-livy-0.8.0-incubating-SNAPSHOT-bin/bin/livy-server start

The libraries implemented inside Autonomous Identity are not vulnerable. 

See Also







Apache Log4j Security Vulnerabilities

Apache Log4j RCE – Variants and Updates

Change Log

The following table tracks changes to the advisory:

Date  Description
August 18, 2022 Added instructions to remove vulnerable classes from log4j version 1
January 5, 2022 Updated to clarify that CVE-2021-44832 does not affect Autonomous Identity
January 4, 2022 Updated to note new vulnerability (CVE-2021-44832) and advice to upgrade to Log4j version 2.17.1
December 22, 2021 Added new fixed versions to address CVE-2021-45105 & CVE-2021-45046 for Autonomous Identity; added section for Log4j1 to clarify its status
December 20, 2021 Updated to note new vulnerability (CVE-2021-45105) and advice to upgrade to Log4j version 2.17.0
December 16, 2021 Add fixed versions and release notes for Autonomous Identity
December 15, 2021 Updated to note new vulnerability (CVE-2021-45046) and advice to upgrade to Log4j version 2.16.0
December 14, 2021 Updated to provide clarity around supported versions and added recommendation for older unsupported versions
December 13, 2021 Updated to note the SecurID authentication module and its use of the Log4j library; updated the Recommendations section to be more specific
December 10, 2021 Initial release

Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.