Security Advisory
ForgeRock Identity Platform
Does not apply to Identity Cloud

DS Security Advisory #202202

Last updated Mar 16, 2022

A security vulnerability has been discovered in supported versions of Directory Services (DS). This vulnerability only affects versions 7.1.0 and 7.1.1, and is not present in older versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory.


Identity Cloud customers

This security advisory does not apply to the ForgeRock Identity Cloud. This security advisory only applies to software deployments of the ForgeRock Identity Platform. 

March 16, 2022

A security vulnerability has been discovered in supported versions of DS. This vulnerability affects versions 7.1.0, and 7.1.1, and is not present in older versions. This vulnerability also affects embedded DS versions in AM and/or IDM. Refer to What versions of DS are compatible with AM? and/or What versions of DS are compatible with IDM? for corresponding AM/IDM versions.

The maximum severity of the issue in this advisory is Medium (CVSS 5.3).

Note

The advice is to upgrade to mitigate this issue. In some cases, a workaround is given, which may be suitable, but an upgrade to the latest version is the recommended approach.

Details about this vulnerability are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.

Issue #202202-01: HTTPS Connection Handler spins

Affected versions DS 7.1.0, DS 7.1.1; AM 7.1.0, AM 7.1.1; IDM 7.1.0, IDM 7.1.2
Fixed versions DS 7.1.2, AM 7.1.2
Component Core Server
Severity Medium (CVSS 5.3)

Description:

Some network vulnerability scanners are able to cause threads to spin in the SSL portion of the HTTPS connection handler code, leading to an increase in CPU utilization. Note the HTTP connection handler is not affected.

ForgeRock has not identified any HTTPS clients that cause this server bug, apart from some network vulnerability scanners.

Workaround:

Disable the HTTPS connector using dsconfig, and deploy REST2LDAP in a separate application server.

Resolution:

Upgrade to a fixed version. Separate patches are not available.

Change Log

The following table tracks changes to the security advisory:

Date  Description
March 16, 2022 Initial release

Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.