OpenSSL 3.0 vulnerability and ForgeRock products
The purpose of this article is to provide information on whether ForgeRock products (Identity Cloud, AM, DS, IDM, IG, Autonomous Identity and the SDKs) are vulnerable to the OpenSSL 3.0 vulnerability (CVE-2022-3602 and CVE-2022-3786). This vulnerability allows a buffer overrun to be triggered in X.509 certificate verification, which could result in a crash (causing a denial of service) or potentially remote code execution in certain circumstances.
2 readers recommend this article
ForgeRock products
The X.509 Email Address Buffer Overflow vulnerability (CVE-2022-3602 and CVE-2022-3786) has been reported in OpenSSL 3.0 versions and is fixed in OpenSSL 3.0.7. This vulnerability does not affect OpenSSL 1.1.1 or 1.0.2.
ForgeRock has assessed our products and can confirm we are not impacted, specifically:
- Identity Cloud, IDM and Autonomous Identity are not vulnerable because the only version of OpenSSL they use directly is version 1.x.
- AM and the SDKs are not vulnerable because they do not use OpenSSL.
- DS and IG are not vulnerable because they are pure Java applications and do not use OpenSSL.
However, underlying operating systems, containers and other infrastructure may well be vulnerable, so you should check your environments for OpenSSL 3.0 usage and upgrade as needed. For example, most Linux variants come with OpenSSL by default, and Apache Tomcat (which AM and IG can be deployed on) can be set up to use OpenSSL. These fixes will come from the vendors of your operating systems, containers and infrastructure rather than from ForgeRock.