AM Security Advisory #202106
Security vulnerabilities have been discovered in supported versions of Access Management (AM). These vulnerabilities affect versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.0 and 7.0.1, and could be present in older unsupported versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory.
4 readers recommend this article
Identity Cloud customers
This security advisory only applies to software deployments of the ForgeRock Identity Platform. All relevant patches from this advisory have already been applied to the ForgeRock Identity Cloud.
August 5, 2021
Security vulnerabilities have been discovered in supported versions of AM. These vulnerabilities affect versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.0 and 7.0.1, and could be present in older unsupported versions.
The maximum severity of issues in this advisory is Critical.
Note
The advice is to upgrade or apply a patch to mitigate these issues. In some cases, a workaround is given, which may be suitable, but an upgrade to the latest version is the recommended approach.
Details about these vulnerabilities are deliberately kept to a minimum to protect your deployments and prevent someone from trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.
In accordance with ForgeRock’s ForgeRock Maintenance Release and Patch Policy, patches are available from BackStage for the following versions:
-
AM 7.0.2 -
AM 7.0.2 is a patch release; this patch release can also be used to secure AM 7.0.0 and AM 7.0.1 -
AM 6.5.3
- AM 6.5.2.3
- AM 6.5.1
- AM 6.5.0.2
-
AM 6.0.0.7 - AM 5.5.2 *
* ForgeRock are providing patches for #202106-01 and #202106-03 on AM 5.5.2 even though this is outside the scope of the Maintenance and Patch availability policy; please note that this action does not constitute a change to said policy.
Issue #202106-01: XML injection vulnerability (CVE-2021-37154)
| Affected versions | AM 5.5.2, 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.0 and 7.0.1 |
|---|---|
| Fixed versions | AM 6.5.4, AM 7.0.2, AM 7.1.0 |
| Component | Core Server |
| Severity | Critical |
Description:
A well-crafted XML document can be used to inject additional XML to create fraudulent SAML 2.0 assertions.
Workaround:
None.
Resolution:
Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.0.0 and 7.0.1 is provided in the AM 7.0.2 patch release.
Issue #202106-02: Broken Authentication (CVE-2021-37153)
| Affected versions | AM 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.0 and 7.0.1 |
|---|---|
| Fixed versions | AM 6.5.4, AM 7.0.2, AM 7.1.0 |
| Component | Core Server |
| Severity | High |
Description:
It may be possible to bypass authentication checks on some trees where Active Directory® is the Identity Store.
Workaround:
You can use one of the following workarounds to mitigate this issue:
- Do not use a Zero Page Login Collector node when Active Directory is the Identity Store.
- Disable unauthenticated binds in Active Directory (this option is available in Microsoft® Windows® Server 2019 and later).
Resolution:
Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.0.0 and 7.0.1 is provided in the AM 7.0.2 patch release.
Issue #202106-03: Account Enumeration
| Affected versions | AM 5.5.2, 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.0 and 7.0.1 |
|---|---|
| Fixed versions | AM 6.5.4, AM 7.0.2, AM 7.1.0 |
| Component | Core Server |
| Severity | Medium |
Description:
It may be possible to perform user enumeration on a vulnerable endpoint.
Workaround:
Block access to the /.well-known/webfinger endpoint at the reverse proxy or load balancer. This needs to be done for each realm, even if OpenID Connect is not enabled in that realm.
Resolution:
Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.0.0 and 7.0.1 is provided in the AM 7.0.2 patch release.
Change Log
The following table tracks changes to the security advisory:
| Date | Description |
|---|---|
| October 19, 2021 | Added AM 6.5.4 as a fixed version |
| August 10, 2021 | Clarified that issue 202106-01 applies to SAML 2.0 |
| August 5, 2021 | Initial release |