Security Advisory
ForgeRock Identity Platform
Does not apply to Identity Cloud

AM Security Advisory #202110

Last updated Dec 8, 2021

Security vulnerabilities have been discovered in supported versions of Access Management (AM). These vulnerabilities affect versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.x and 7.1.0, and could be present in older unsupported versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory.


Identity Cloud customers

This security advisory does not apply to the ForgeRock Identity Cloud. This security advisory only applies to software deployments of the ForgeRock Identity Platform. 

December 7, 2021

Security vulnerabilities have been discovered in supported versions of AM. These vulnerabilities affect versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.x and 7.1.0 and could be present in older unsupported versions.

The maximum severity of issues in this advisory is Critical.

Note

The advice is to upgrade or apply a patch to mitigate these issues. In some cases, a workaround is given, which may be suitable, but an upgrade to the latest version is the recommended approach.

Details about these vulnerabilities are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.

In accordance with ForgeRock’s Maintenance and Patch availability policy, patches are available from BackStage for the following versions:

* ForgeRock are providing a patch for AM 5.5.2 even though this is outside the scope of the Maintenance and Patch availability policy; please note that this action does not constitute a change to said policy.

See How do I install an AM patch (All versions) supplied by ForgeRock support? for further information on deploying the patch. If you have existing patches, please raise a ticket to obtain an updated patch.

Issue #202110-01: Broken Access Control

Affected versions  AM 5.5.2, 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.x and 7.1.0
Fixed versions AM 6.5.4, AM 7.1.1
Component Core Server
Severity Critical

Description:

It may be possible to bypass some authentication controls and gain access to other users' session tokens.

Workaround:

Block or restrict access to the PLL servlet endpoints:

  • /authservice
  • /sessionservice
  • /profileservice
  • /policyservice
  • /namingservice
  • /loggingservice

These are legacy endpoints, that are potentially used by ssoadm, Agents prior to version 5 and the OpenAM Java SDK (removed in AM 5.5.0). Additionally, in pre-AM 6 versions, these endpoints may be used for AM crosstalk. If you know these components are being used, then restrict the endpoint access to a trusted network, otherwise they can be blocked completely. More information on how to block these endpoints is found in the following KB article: Best practice for blocking the top level realm in a proxy for AM (All versions)

Resolution:

Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.1 is provided in the AM 7.1.1 patch release.

Issue #202110-02: Cross Site Scripting (XSS)

Affected versions AM 5.5.2, 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.x and 7.1.0
Fixed versions AM 6.5.4, AM 7.1.1
Component Core Server
Severity High

Description:

AM is vulnerable to cross-site scripting (XSS) attacks via the oauth2/authorize endpoint, which could lead to session hijacking or phishing.

Workaround:

The oauth2/authorize endpoint is used in some OAuth2/OIDC flows and by AM Agents 5 and above. You can protect the oauth2/authorize endpoint with the container (for example, using the mod_security Apache module) or filter external requests if the endpoint is not used, or until a patch is deployed.

Resolution:

Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.1 is provided in the AM 7.1.1 patch release.

The security advisory patch contains both a binary fix (which fixes known instances of the 202110-02 XSS issue) and a XUI fix (which includes additional hardening to help prevent any further XSS issues on this endpoint within the XUI).

If you have customized the XUI, you should apply the binary fix in the first instance (by removing the XUI directory from the patch before deploying it) and then you can apply the XUI fix to your XUI customizations by following the instructions in the README included in the advisory.

Acknowledgements

Maxime Escourbiac (https://cert.michelin.com/)

Maxence Schmitt (https://cert.michelin.com/)

Change Log

The following table tracks changes to the security advisory:

Date  Description
December 8, 2021 Added clarification to Issue #202110-02 about XUI customizations
December 7, 2021 Initial release

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.