AM Security Advisory #202110
Security vulnerabilities have been discovered in supported versions of Access Management (AM). These vulnerabilities affect versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.x and 7.1.0, and could be present in older unsupported versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory.
Identity Cloud customers
This security advisory does not apply to the ForgeRock Identity Cloud. This security advisory only applies to software deployments of the ForgeRock Identity Platform.
December 7, 2021
Security vulnerabilities have been discovered in supported versions of AM. These vulnerabilities affect versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.x and 7.1.0 and could be present in older unsupported versions.
The maximum severity of issues in this advisory is Critical.
Note
The advice is to upgrade or apply a patch to mitigate these issues. In some cases, a workaround is given, which may be suitable, but an upgrade to the latest version is the recommended approach.
Details about these vulnerabilities are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.
Patches are available from Backstage for the following versions:
- AM 7.1.1 - AM 7.1.1 is a patch release; this patch release should be used to secure AM 7.1.0
- AM 7.0.2
- AM 6.5.3
- AM 6.5.2.3
- AM 6.5.1
- AM 6.5.0.2
- AM 6.0.0.7
- AM 5.5.2 *
* ForgeRock are providing a patch for AM 5.5.2 even though this is outside the scope of the Maintenance and Patch availability policy; please note that this action does not constitute a change to said policy.
See How do I install a PingAM (AM) patch supplied by Ping support? for further information on deploying the patch. If you have existing patches, please raise a ticket to obtain an updated patch.
Issue #202110-01: Broken Access Control (CVE-2021-4201)
Affected versions | AM 5.5.2, 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.x and 7.1.0 |
---|---|
Fixed versions | AM 6.5.4, AM 7.1.1 |
Component | Core Server |
Severity | Critical |
Description:
It may be possible to bypass some authentication controls and gain access to other users' session tokens.
Workaround:
Block or restrict access to the PLL servlet endpoints:
- /authservice
- /sessionservice
- /profileservice
- /policyservice
- /namingservice
- /loggingservice
These are legacy endpoints, that are potentially used
Resolution:
Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.1 is provided in the AM 7.1.1 patch release.
Reference:
Issue #202110-02: Cross Site Scripting (XSS)
Affected versions | AM 5.5.2, 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.x and 7.1.0 |
---|---|
Fixed versions | AM 6.5.4, AM 7.1.1 |
Component | Core Server |
Severity | High |
Description:
AM is vulnerable to cross-site scripting (XSS) attacks via the oauth2/authorize endpoint, which could lead to session hijacking or phishing.
Workaround:
The oauth2/authorize endpoint is used in some OAuth2/OIDC flows and by AM Agents 5 and above. You can protect the oauth2/authorize endpoint with the container (for example, using the mod_security Apache module) or filter external requests if the endpoint is not used, or until a patch is deployed.
Resolution:
Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.1 is provided in the AM 7.1.1 patch release.
The security advisory patch contains both a binary fix (which fixes known instances of the 202110-02 XSS issue) and a XUI fix (which includes additional hardening to help prevent any further XSS issues on this endpoint within the XUI).
If you have customized the XUI, you should apply the binary fix in the first instance (by removing the XUI directory from the patch before deploying it) and then you can apply the XUI fix to your XUI customizations by following the instructions in the README included in the advisory.
Acknowledgements
Critical issue #202110-01: Broken Access Control (CVE-2021-4201):
- Maxime Escourbiac (https://cert.michelin.com/)
- Maxence Schmitt (https://cert.michelin.com/)
Issue #202110-02: Cross Site Scripting (XSS):
- Thomas Dewaele
Change Log
The following table tracks changes to the security advisory:
Date | Description |
---|---|
June 11, 2024 | Added Thomas Dewaele to the Acknowledgments |
June 8, 2023 | Removed a broken link |
April 18, 2023 | Updated tags to improve search |
February 28, 2022 | Miscellaneous change to fix broken link |
February 15, 2022 | Added CVE-2021-4201 |
December 8, 2021 | Added clarification to Issue #202110-02 about XUI customizations |
December 7, 2021 | Initial release |