Security Advisory
ForgeRock Identity Platform
Does not apply to Identity Cloud

AM Security Advisory #202106

Last updated Oct 19, 2021

Security vulnerabilities have been discovered in supported versions of Access Management (AM). These vulnerabilities affect versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.0 and 7.0.1, and could be present in older unsupported versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory.


4 readers recommend this article
Identity Cloud customers

This security advisory only applies to software deployments of the ForgeRock Identity Platform. All relevant patches from this advisory have already been applied to the ForgeRock Identity Cloud.

August 5, 2021

Security vulnerabilities have been discovered in supported versions of AM. These vulnerabilities affect versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.0 and 7.0.1, and could be present in older unsupported versions.

The maximum severity of issues in this advisory is Critical.

Note

The advice is to upgrade or apply a patch to mitigate these issues. In some cases, a workaround is given, which may be suitable, but an upgrade to the latest version is the recommended approach.

Details about these vulnerabilities are deliberately kept to a minimum to protect your deployments and prevent someone from trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.

In accordance with ForgeRock’s ForgeRock Maintenance Release and Patch Policy, patches are available from BackStage for the following versions:

* ForgeRock are providing patches for #202106-01 and #202106-03 on AM 5.5.2 even though this is outside the scope of the Maintenance and Patch availability policy; please note that this action does not constitute a change to said policy.

See How do I install an AM patch (All versions) supplied by ForgeRock support? and the embedded README for further information on deploying the patch. If you have existing patches, please raise a ticket to obtain an updated patch.

Issue #202106-01: XML injection vulnerability (CVE-2021-37154)

Affected versions AM 5.5.2, 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.0 and 7.0.1
Fixed versions AM 6.5.4, AM 7.0.2, AM 7.1.0
Component Core Server
Severity Critical 

Description:

A well-crafted XML document can be used to inject additional XML to create fraudulent SAML 2.0 assertions.

Workaround:

None.

Resolution:

Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.0.0 and 7.0.1 is provided in the AM 7.0.2 patch release.

Issue #202106-02: Broken Authentication (CVE-2021-37153)

Affected versions AM 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.0 and 7.0.1
Fixed versions AM 6.5.4, AM 7.0.2, AM 7.1.0
Component Core Server
Severity High 

Description:

It may be possible to bypass authentication checks on some trees where Active Directory® is the Identity Store.

Workaround:

You can use one of the following workarounds to mitigate this issue:

  • Do not use a Zero Page Login Collector node when Active Directory is the Identity Store.
  • Disable unauthenticated binds in Active Directory (this option is available in Microsoft® Windows® Server 2019 and later).

Resolution:

Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.0.0 and 7.0.1 is provided in the AM 7.0.2 patch release.

Issue #202106-03: Account Enumeration

Affected versions AM 5.5.2, 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.0 and 7.0.1
Fixed versions AM 6.5.4, AM 7.0.2, AM 7.1.0
Component Core Server
Severity Medium 

Description:

It may be possible to perform user enumeration on a vulnerable endpoint.

Workaround:

Block access to the /.well-known/webfinger endpoint at the reverse proxy or load balancer. This needs to be done for each realm, even if OpenID Connect is not enabled in that realm.

Resolution:

Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.0.0 and 7.0.1 is provided in the AM 7.0.2 patch release.

Change Log

The following table tracks changes to the security advisory:

Date  Description
October 19, 2021 Added AM 6.5.4 as a fixed version
August 10, 2021  Clarified that issue 202106-01 applies to SAML 2.0  
August 5, 2021 Initial release

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.