Security Advisory
ForgeRock Identity Platform
Does not apply to Identity Cloud

AM Security Advisory #202104

Last updated Oct 19, 2021

A security vulnerability has been discovered in supported versions of Access Management (AM). This vulnerability affects versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3; it also affects older unsupported versions: AM 5.x; OpenAM 9.x, 10.x, 11.x, 12.x and 13.x. You should secure your deployments at the earliest opportunity as outlined in this security advisory. NOTE: This does not affect AM 7 and above.


26 readers recommend this article

Identity Cloud customers 

This security advisory does not apply to the ForgeRock Identity Cloud. This security advisory only applies to software deployments of the ForgeRock Identity Platform. 

June 29, 2021

A security vulnerability has been discovered in supported versions of AM. This vulnerability affects versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3; it also affects older unsupported versions: AM 5.x; OpenAM 9.x, 10.x, 11.x, 12.x and 13.x.

The maximum severity of the issue in this advisory is Critical.

This Security Advisory provides details on a workaround that you should apply immediately to secure your deployment. These workarounds are suitable for all versions, including older unsupported ones.

Additionally, consult this document Technical Impact Assessment CVE-2021-35464 which provides more detailed information on the issue and how to determine if you have been impacted.

Details of a patch are also included, but we recommend you apply a workaround immediately as a first step.

Issue #202104-01 Remote Code Execution (CVE-2021-35464)

Affected versions

AM 5.x, 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3

OpenAM 9.x, 10.x, 11.x, 12.x and 13.x

Fixed versions AM 6.5.4, AM 7
Component Core Server
Severity Critical 

Description:

Using a well-constructed request, an attacker may be able to perform remote code execution by sending a specially crafted request to an exposed remote endpoint.

Workarounds:

You can secure your deployments using one of the following two options:

  • WORKAROUND OPTION 1: Disable the VersionServlet mapping by commenting out the following section in the AM web.xml file (for example, this file is located in the /path/to/tomcat/webapps/openam/WEB-INF directory for Apache Tomcat™):<servlet-mapping>      <servlet-name>VersionServlet</servlet-name>             <url-pattern>/ccversion/*</url-pattern>      </servlet-mapping>

To comment out the above section, apply the following changes to the web.xml file:<!--   <servlet-mapping>              <servlet-name>VersionServlet</servlet-name>             <url-pattern>/ccversion/*</url-pattern>      </servlet-mapping> -->For Tomcat, you can just restart the web application container to apply these changes; for JBoss®, you must repack the AM war file with the updated web.xml file and redploy.

  • WORKAROUND OPTION 2: Block access to the ccversion endpoint using a reverse proxy or other method. On Tomcat, ensure that access rules cannot be bypassed using known path traversal issues: Tomcat path traversal via reverse proxy mapping.

Resolution:

A single patch is available from BackStage, which can be deployed on the following versions:

  • AM 6.5.3
  • AM 6.5.2.x
  • AM 6.5.1
  • AM 6.5.0.x
  • AM 6.0.0.x

The AM 6.5.3 patch works for all AM 6.x versions.

See How do I install an AM patch (All versions) supplied by ForgeRock support? for further information on deploying the patch. Please note this patch will overwrite console classes already in the WEB-INF/classes directory and this is to be expected. However, if you are still unsure whether you can successfully apply the patch to your environment, please raise a ticket with ForgeRock Support.

Change Log

The following table tracks changes to the security advisory:

Date  Description
October 19, 2021 Added AM 6.5.4 as a fixed version
July 14, 2021 Added instructions for JBoss
July 13, 2021 Noted that this patch will overwrite console classes and listed out all affected versions
July 12, 2021 Clarified that the workarounds work for older unsupported versions
July 9, 2021 Added links to patches and added recommendation to immediately apply workarounds
July 8, 2021 Added Technical Impact Assessment document 
July 5, 2021 Clarified that Tomcat needs to be restarted
June 29, 2021 Initial release

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.