ICF Security Advisory #202102
ForgeRock has discovered two security vulnerabilities in the Identity Connector Framework (ICF).
April 20, 2021
ForgeRock has discovered two Medium-level security vulnerabilities present in supported versions of Identity Connector Framework (ICF), part of Remote Connector Server (RCS)
This advisory provides guidance on how to ensure your deployments are properly secured.
Note
The vulnerabilities and upgrade only apply to the Java® version of RCS.
Customers can download the latest release of the
See How do I upgrade the Java Remote Connector Server (RCS) for Identity Cloud and IDM? for instructions on upgrading the RCS.
Issue #20210201
| Product | ICF |
|---|---|
| Affected versions | All prior to 1.5.20.0 |
| Fixed versions | 1.5.20.0 |
| Component | LDAP connector |
| Severity | Medium |
Description:
A weak cipher was used to generate random values.
Workaround:
None.
Resolution:
Upgrade to ICF 1.5.20.
Issue #20210202
| Product | ICF |
|---|---|
| Affected versions | All prior to 1.5.20.0 |
| Fixed versions | 1.5.20.0 |
| Component | Core Server |
| Severity | Medium |
Description:
The XML handler allowed insecure documents.
Workaround:
None.
Resolution:
Upgrade to ICF 1.5.20.
Change Log
The following table tracks changes to the security advisory:
| Date | Description |
|---|---|
| September 28, 2022 | Fixed broken doc link |
| June 24, 2021 | Added a Security taxon to improve categorization |
| April 20, 2021 | Initial release |