AM Security Advisory #202104
A security vulnerability has been discovered in supported versions of Access Management (AM). This vulnerability affects versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3; it also affects older unsupported versions: AM 5.x; OpenAM 9.x, 10.x, 11.x, 12.x and 13.x. You should secure your deployments at the earliest opportunity as outlined in this security advisory. NOTE: This does not affect AM 7 and above.
Identity Cloud customers
This security advisory does not apply to the ForgeRock Identity Cloud. This security advisory only applies to software deployments of the ForgeRock Identity Platform.
June 29, 2021
A security vulnerability has been discovered in supported versions of AM. This vulnerability affects versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3; it also affects older unsupported versions: AM 5.x; OpenAM 9.x, 10.x, 11.x, 12.x and 13.x.
The maximum severity of the issue in this advisory is Critical.
This Security Advisory provides details on a workaround that you should apply immediately to secure your deployment.
Additionally, consult this document Technical Impact Assessment CVE-2021-35464 which provides more detailed information on the issue and how to determine if you have been impacted.
Details of a patch are also included, but
Issue #202104-01 Remote Code Execution (CVE-2021-35464)
| Affected versions |
AM 5.x, 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3 OpenAM 9.x, 10.x, 11.x, 12.x and 13.x |
|---|---|
| Fixed versions | AM 6.5.4, AM 7 |
| Component | Core Server |
| Severity | Critical |
Description:
Using a well-constructed request, an attacker may be able to perform remote code execution by sending a specially crafted request to an exposed remote endpoint.
Workarounds:
You can secure your deployments using one of the following two options:
- WORKAROUND OPTION 1: Disable the VersionServlet mapping by commenting out the following section in the AM web.xml file (for example, this file is located in the /path/to/tomcat/webapps/openam/WEB-INF directory for Apache Tomcat™):<servlet-mapping> <servlet-name>VersionServlet</servlet-name> <url-pattern>/ccversion/*</url-pattern> </servlet-mapping>
To comment out the above section, apply the following changes to the web.xml file:<!-- <servlet-mapping> <servlet-name>VersionServlet</servlet-name> <url-pattern>/ccversion/*</url-pattern> </servlet-mapping> -->For Tomcat, you can just restart the web application container to apply these changes; for JBoss®, you must repack the AM war file with the updated web.xml file and redploy.
- WORKAROUND OPTION 2: Block access to the ccversion endpoint using a reverse proxy or other method. On Tomcat, ensure that access rules cannot be bypassed using known path traversal issues: Tomcat path traversal via reverse proxy mapping.
Resolution:
A single patch is available from Backstage, which can be deployed on the following versions:
- AM 6.5.3
- AM 6.5.2.x
- AM 6.5.1
- AM 6.5.0.x
- AM 6.0.0.x
The AM 6.5.3 patch works for all AM 6.x versions.
See How do I install a PingAM (AM) patch supplied by Ping support? for further information on deploying the patch.
Change Log
The following table tracks changes to the security advisory:
| Date | Description |
|---|---|
| April 18, 2023 | Updated tags to improve search |
| October 19, 2021 | Added AM 6.5.4 as a fixed version |
| July 14, 2021 | Added instructions for JBoss |
| July 13, 2021 | Noted that this patch will overwrite console classes and listed out all affected versions |
| July 12, 2021 | Clarified that the workarounds work for older unsupported versions |
| July 9, 2021 | Added links to patches and added recommendation to immediately apply workarounds |
| July 8, 2021 | Added Technical Impact Assessment document |
| July 5, 2021 | Clarified that Tomcat needs to be restarted |
| June 29, 2021 | Initial release |