DS Security Advisory #202108
Security vulnerabilities have been discovered in supported versions of Directory Services (DS). These vulnerabilities affect version 7.1.0 only and are not present in older versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory.
1 reader recommends this article
Identity Cloud customers
This security advisory does not apply to the ForgeRock Identity Cloud. This security advisory only applies to software deployments of the ForgeRock Identity Platform.
December 7, 2021
Security vulnerabilities have been discovered in supported versions of DS. These vulnerabilities affect version 7.1.0 only and are not present in older versions. These vulnerabilities also affect embedded DS versions in AM and IDM. Refer to What versions of DS are compatible with AM? and/or What versions of DS are compatible with IDM? for corresponding AM/IDM versions.
The maximum severity of issues in this advisory is Medium (CVSS 6.5).
Note
The advice is to upgrade or apply a patch to mitigate these issues. In one case, a workaround is given, which may be suitable, but an upgrade to the latest version is the recommended approach.
Details about these vulnerabilities are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.
In accordance with ForgeRock’s ForgeRock Maintenance Release and Patch Policy, patches are available from BackStage for the following version:
See How do I install a DS patch (All versions) supplied by ForgeRock support? for further information on deploying the patch. If you have existing patches, please raise a ticket to obtain an updated patch.
Issue #202108-01: Trailing non-LDAP data on LDAPS connections causes server thread spin
| Affected versions | DS 7.1.0, AM 7.1.0, IDM 7.1.0 |
|---|---|
| Fixed versions | DS 7.1.1, AM 7.1.1, IDM 7.1.2 |
| Component | Core Server |
| Severity | Medium (CVSS 6.5) |
Description:
Trailing non-LDAP bytes sent by a client to the administration connector (default port 4444) or an LDAPS connection handler (default port 636), would cause a server thread to spin even after the connection was closed by the client.
ForgeRock has not identified any LDAP clients that cause this server bug, which is only known to be caused by certain SCAP scanners.
Workaround:
None.
Resolution:
Upgrade to a fixed version or deploy the relevant patch.
Issue #202108-02: TLS renegotiation causes server thread spin
| Affected versions | DS 7.1.0, AM 7.1.0, IDM 7.1.0 |
|---|---|
| Fixed versions | DS 7.1.1, AM 7.1.1, IDM 7.1.2 |
| Component | Core Server |
| Severity | Medium (CVSS 6.5) |
Description:
TLS renegotiation attempts sent by a client to the administration connector (default port 4444) or an LDAPS connection handler (default port 636), would cause a server thread to spin even after the connection was closed by the client.
ForgeRock has not identified any LDAP clients that cause this server bug, which is only known to be caused by certain SCAP scanners.
Workaround:
Because the TLS negotiation feature was removed from TLS 1.3, a workaround is to only enable TLS 1.3 for the administration connector and any LDAPS connection handlers.
Resolution:
Upgrade to a fixed version or deploy the relevant patch.
Change Log
The following table tracks changes to the security advisory:
| Date | Description |
|---|---|
| March 2, 2022 | Added IDM 7.1.2 as a fixed version |
| December 7, 2021 | Initial release |