Security Advisory
ForgeRock Identity Platform
Does not apply to Identity Cloud

DS Security Advisory #202108

Last updated Mar 2, 2022

Security vulnerabilities have been discovered in supported versions of Directory Services (DS). These vulnerabilities affect version 7.1.0 only and are not present in older versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory.


1 reader recommends this article

Identity Cloud customers

This security advisory does not apply to the ForgeRock Identity Cloud. This security advisory only applies to software deployments of the ForgeRock Identity Platform. 

December 7, 2021

Security vulnerabilities have been discovered in supported versions of DS. These vulnerabilities affect version 7.1.0 only and are not present in older versions. These vulnerabilities also affect embedded DS versions in AM and IDM. Refer to What versions of DS are compatible with AM? and/or What versions of DS are compatible with IDM? for corresponding AM/IDM versions.

The maximum severity of issues in this advisory is Medium (CVSS 6.5).

Note

The advice is to upgrade or apply a patch to mitigate these issues. In one case, a workaround is given, which may be suitable, but an upgrade to the latest version is the recommended approach.

Details about these vulnerabilities are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.

In accordance with ForgeRock’s ForgeRock Maintenance Release Policy, patches are available from BackStage for the following version:

See How do I install a DS patch (All versions) supplied by ForgeRock support? for further information on deploying the patch. If you have existing patches, please raise a ticket to obtain an updated patch.

Issue #202108-01: Trailing non-LDAP data on LDAPS connections causes server thread spin

Affected versions DS 7.1.0, AM 7.1.0, IDM 7.1.0
Fixed versions DS 7.1.1, AM 7.1.1, IDM 7.1.2
Component Core Server
Severity Medium (CVSS 6.5)

Description:

Trailing non-LDAP bytes sent by a client to the administration connector (default port 4444) or an LDAPS connection handler (default port 636), would cause a server thread to spin even after the connection was closed by the client.

ForgeRock has not identified any LDAP clients that cause this server bug, which is only known to be caused by certain SCAP scanners.

Workaround:

None.

Resolution:

Upgrade to a fixed version or deploy the relevant patch.

Issue #202108-02: TLS renegotiation causes server thread spin

Affected versions DS 7.1.0, AM 7.1.0, IDM 7.1.0
Fixed versions DS 7.1.1, AM 7.1.1, IDM 7.1.2
Component Core Server
Severity Medium (CVSS 6.5)

Description:

TLS renegotiation attempts sent by a client to the administration connector (default port 4444) or an LDAPS connection handler (default port 636), would cause a server thread to spin even after the connection was closed by the client.

ForgeRock has not identified any LDAP clients that cause this server bug, which is only known to be caused by certain SCAP scanners.

Workaround:

Because the TLS negotiation feature was removed from TLS 1.3, a workaround is to only enable TLS 1.3 for the administration connector and any LDAPS connection handlers.

Resolution:

Upgrade to a fixed version or deploy the relevant patch.

Change Log

The following table tracks changes to the security advisory:

Date  Description
March 2, 2022 Added IDM 7.1.2 as a fixed version
December 7, 2021 Initial release

Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.