Security Advisory
ForgeRock Identity Platform
Does not apply to Identity Cloud

Log4j Security Advisory #202111

Last updated Jan 5, 2022

The purpose of this advisory is to provide information on whether ForgeRock products (Identity Cloud, AM, DS, IDM, IG, Agents and Autonomous Identity) are vulnerable to recent Log4j 2 vulnerabilities: RCE (Remote Code Execution) CVE-2021-44228, DoS (Denial of Service) CVE-2021-45046, DoS CVE-2021-45105 and ACE (Arbitrary Code Execution) CVE-2021-44832. These vulnerabilities allow an attacker to remotely execute code in certain circumstances.


8 readers recommend this article

December 10, 2021

A number of vulnerabilities have recently been discovered that impact multiple versions of the Apache Log4j 2 utility: 

Vulnerability Severity Rating CVSS Score Affected Versions Fixed Version Other Information
CVE-2021-44228 Critical 10 2.0 to 2.14.1 2.15.0 Disclosed publicly via the project’s GitHub on December 9, 2021
CVE-2021-45046 Critical 9 2.0 to 2.15.0 (excluding 2.12.2) 2.16.0  
CVE-2021-45105 High 7.5 2.0 to 2.16.0 2.17.0  
CVE-2021-44832 Medium 6.6 2.0 to 2.17.0 (excluding 2.3.2 and 2.12.4) 2.17.1  

Customers should check the CVEs for the latest vulnerable versions.

Note

New releases of Autonomous Identity that include Log4j 2.17 have been made available on December 22nd, 2021. 

The only ForgeRock product that utilizes Log4j is Autonomous Identity, which now has patched releases that remedy the three Critical and High vulnerabilities. None of the other currently supported ForgeRock products, including Identity Cloud, AM, DS, IDM, IG and Agents, are affected by these vulnerabilities. ForgeRock continues to actively investigate any other possible uses of this library but none are known at this time.

The SecurID authentication module uses the Log4j library (which is supplied by RSA but no longer supported). You should not use this module unless RSA provides a fixed version of this library. See RSA Customer Advisory: Apache Vulnerability | Log4j2 (CVE-2021-44228) for the latest information from RSA.

Customers are responsible for checking for any use of Log4j in their servlet/application container and any custom code (including Marketplace contributions) that they have deployed. 

ForgeRock products

All currently supported versions of the ForgeRock Identity Platform (AM, DS, IDM, IG & AM Agents) are not vulnerable to Log4j as ForgeRock does not ship with this library. Review Checking your product versions are supported for details of currently supported versions. 

Older, end of life, versions of the ForgeRock Identity Platform could be vulnerable. However, due to the age and lack of vendor support for libraries, they cannot be patched to ensure they are no longer vulnerable to the Log4j attacks.

Product Supported Versions Vulnerable Details
Autonomous Identity 2020.10, 2021.3, 2021.8 Yes

The newest releases address the following vulnerabilities: CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105

Release Notes:

Downloads:

Autonomous Identity does not use a JDBC appender for logging, which means it is not affected by CVE-2021-44832. 

AM 6.x, 7.x No N/A
DS 6.x, 7.x No N/A
IDM 6.x, 7.x No N/A
IG 6.x, 7.x No N/A
Agents 5.x No N/A

Recommendations

Autonomous Identity customers should update to the latest patch release (see release notes in the table above).

For standard installations of the ForgeRock Identity Platform (AM, DS, IDM, IG and Agents), you should check to see if your servlet/application containers have any vulnerabilities by contacting the vendor of the servlet being used. The servlet/application container you install for deploying AM needs to be checked to make sure it is not vulnerable. The default recommended container of Apache Tomcat is not vulnerable as it does not use Log4j. 

For custom installations of the ForgeRock Identity Platform that include components that utilize either log4j or log4j-api libraries, you should:

  • Contact the component vendor for additional information.
  • Check to see if your servlet/application containers have any vulnerabilities by contacting the vendor of the servlet being used.
  • Follow the advice from Apache by upgrading your Log4j version(s) to 2.17.1 or later, or by implementing one of their mitigations as outlined here: Apache Log4j Security Vulnerabilities.

For older ForgeRock products that are no longer supported, we strongly recommend you upgrade to a newer, supported version.

Log4j 1

The vulnerabilities in this advisory do not apply to Log4j 1 versions. Per Apache Log4j Security Vulnerabilities

Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.

However, a new CVE-2021-4104 vulnerability has been reported for Log4j 1.2, which is an issue if you have JMSAppender configured. You should monitor this CVE for updates.

See Also

CVE-2021-44228

CVE-2021-45046

CVE-2021-45105

CVE-2021-44832

Apache Log4j Security Vulnerabilities

Apache Log4j RCE – Variants and Updates

Change Log

The following table tracks changes to the advisory:

Date  Description
January 5, 2022 Updated to clarify that CVE-2021-44832 does not affect Autonomous Identity
January 4, 2022 Updated to note new vulnerability (CVE-2021-44832) and advice to upgrade to Log4j version 2.17.1
December 22, 2021 Added new fixed versions to address CVE-2021-45105 & CVE-2021-45046 for Autonomous Identity; added section for Log4j1 to clarify its status
December 20, 2021 Updated to note new vulnerability (CVE-2021-45105) and advice to upgrade to Log4j version 2.17.0
December 16, 2021 Add fixed versions and release notes for Autonomous Identity
December 15, 2021 Updated to note new vulnerability (CVE-2021-45046) and advice to upgrade to Log4j version 2.16.0
December 14, 2021 Updated to provide clarity around supported versions and added recommendation for older unsupported versions
December 13, 2021 Updated to note the SecurID authentication module and its use of the Log4j library; updated the Recommendations section to be more specific
December 10, 2021 Initial release

Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.