This security advisory does not apply to the ForgeRock Identity Cloud. This security advisory only applies to software deployments of the ForgeRock Identity Platform.
A security vulnerability has been discovered in supported versions of AM. This vulnerability affects versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3; it also affects older unsupported versions: AM 5.x; OpenAM 9.x, 10.x, 11.x, 12.x and 13.x.
The maximum severity of the issue in this advisory is Critical.
This Security Advisory provides details on a workaround that you should apply immediately to secure your deployment.
Additionally, consult this document Technical Impact Assessment CVE-2021-35464 which provides more detailed information on the issue and how to determine if you have been impacted.
Details of a patch are also included, but
AM 5.x, 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3
OpenAM 9.x, 10.x, 11.x, 12.x and 13.x
|Fixed versions||AM 6.5.4, AM 7|
Using a well-constructed request, an attacker may be able to perform remote code execution by sending a specially crafted request to an exposed remote endpoint.
You can secure your deployments using one of the following two options:
- WORKAROUND OPTION 1: Disable the VersionServlet mapping by commenting out the following section in the AM web.xml file (for example, this file is located in the /path/to/tomcat/webapps/openam/WEB-INF directory for Apache Tomcat™):<servlet-mapping> <servlet-name>VersionServlet</servlet-name> <url-pattern>/ccversion/*</url-pattern> </servlet-mapping>
To comment out the above section, apply the following changes to the web.xml file:<!-- <servlet-mapping> <servlet-name>VersionServlet</servlet-name> <url-pattern>/ccversion/*</url-pattern> </servlet-mapping> -->For Tomcat, you can just restart the web application container to apply these changes; for JBoss®, you must repack the AM war file with the updated web.xml file and redploy.
- WORKAROUND OPTION 2: Block access to the ccversion endpoint using a reverse proxy or other method. On Tomcat, ensure that access rules cannot be bypassed using known path traversal issues: Tomcat path traversal via reverse proxy mapping.
A single patch is available from BackStage, which can be deployed on the following versions:
- AM 6.5.3
- AM 6.5.2.x
- AM 6.5.1
- AM 6.5.0.x
- AM 6.0.0.x
The AM 6.5.3 patch works for all AM 6.x versions.
See How do I install an AM patch (All versions) supplied by ForgeRock support? for further information on deploying the patch.
The following table tracks changes to the security advisory:
|October 19, 2021||Added AM 6.5.4 as a fixed version|
|July 14, 2021||Added instructions for JBoss|
|July 13, 2021||Noted that this patch will overwrite console classes and listed out all affected versions|
|July 12, 2021||Clarified that the workarounds work for older unsupported versions|
|July 9, 2021||Added links to patches and added recommendation to immediately apply workarounds|
|July 8, 2021||Added Technical Impact Assessment document|
|July 5, 2021||Clarified that Tomcat needs to be restarted|
|June 29, 2021||Initial release|