Security Advisory
ForgeRock Identity Platform
ForgeRock Identity Cloud

ICF Security Advisory #202102

Last updated Sep 28, 2022

ForgeRock has discovered two security vulnerabilities in the Identity Connector Framework (ICF).


April 20, 2021

ForgeRock has discovered two Medium-level security vulnerabilities present in supported versions of Identity Connector Framework (ICF), part of Remote Connector Server (RCS) implementation.

This advisory provides guidance on how to ensure your deployments are properly secured. The recommendation is to update ICF to version 1.5.20.0. The ICF is updated by upgrading the RCS.

Note

The vulnerabilities and upgrade only apply to the Java® version of RCS.

Customers can download the latest release of the Java RCS from Backstage

See How do I upgrade the Java Remote Connector Server (RCS) for Identity Cloud and IDM? for instructions on upgrading the RCS. 

Issue #20210201

Product ICF
Affected versions All prior to 1.5.20.0
Fixed versions 1.5.20.0
Component LDAP connector
Severity Medium

Description:

A weak cipher was used to generate random values.

Workaround:

None.

Resolution:

Upgrade to ICF 1.5.20.

Issue #20210202

Product ICF
Affected versions All prior to 1.5.20.0 
Fixed versions 1.5.20.0
Component Core Server
Severity Medium

Description:

The XML handler allowed insecure documents.

Workaround:

None.

Resolution:

Upgrade to ICF 1.5.20.

Change Log

The following table tracks changes to the security advisory:

Date  Description
September 28, 2022 Fixed broken doc link
June 24, 2021 Added a Security taxon to improve categorization
April 20, 2021  Initial release

Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.