This security advisory does not apply to the ForgeRock Identity Cloud. This security advisory only applies to software deployments of the ForgeRock Identity Platform.
A security vulnerability has been discovered in supported versions of DS. This vulnerability affects versions 7.1.0, and 7.1.1, and is not present in older versions. This vulnerability also affects embedded DS versions in AM and/or IDM. Refer to What versions of DS are compatible with AM? and/or What versions of DS are compatible with IDM? for corresponding AM/IDM versions.
The maximum severity of the issue in this advisory is Medium (CVSS 5.3).
The advice is to upgrade to mitigate this issue. In some cases, a workaround is given, which may be suitable, but an upgrade to the latest version is the recommended approach.
Details about this vulnerability are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.
|Affected versions||DS 7.1.0, DS 7.1.1; AM 7.1.0, AM 7.1.1; IDM 7.1.0, IDM 7.1.2|
|Fixed versions||DS 7.1.2, AM 7.1.2|
|Severity||Medium (CVSS 5.3)|
Some network vulnerability scanners are able to cause threads to spin in the SSL portion of the HTTPS connection handler code, leading to an increase in CPU utilization. Note the HTTP connection handler is not affected.
ForgeRock has not identified any HTTPS clients that cause this server bug, apart from some network vulnerability scanners.
Disable the HTTPS connector using dsconfig, and deploy REST2LDAP in a separate application server.
Upgrade to a fixed version. Separate patches are not available.
The following table tracks changes to the security advisory:
|March 16, 2022||Initial release|