Security Advisory

IDM/OpenIDM Security Advisory #201705

Last updated Jul 9, 2018

Security vulnerabilities have been discovered in IDM/OpenIDM components. These issues may be present in IDM 5.0 and OpenIDM 2.1.x, 3.x, 4.x. The OpenIDM Community Edition 2.1.2 is also affected.


1 reader recommends this article

December 5, 2017

Security vulnerabilities have been discovered in IDM/OpenIDM components. These issues may be present in IDM 5.0 and OpenIDM 2.1.x, 3.x, 4.x. The OpenIDM Community Edition 2.1.2 is also affected.

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available for all of the issues.

The maximum severity of issues in this advisory is Critical. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to deploy the relevant patches. Patch bundles are available for the following versions (in accordance with ForgeRock’s Maintenance and Patch availability policy):

  • 3.0.0
  • 3.1.0
  • 4.0.0
  • 4.5.0
  • 4.5.1
  • 5.0.0

Customers can obtain these patch bundles from BackStage.

Issue #201705-01

Product IDM, OpenIDM
Affected versions IDM 5.0, OpenIDM 2.1.0, 2.1.1, 2.1.2, Community Edition 2.1.2, 3.0.0, 3.1.0, 4.0.0, 4.5.0, 4.5.1
Fixed versions IDM 5.5
Component Workflow
Severity Critical

Description:

Workflow task submission allows arbitrary content with no scoping protection.

Workaround:

Disable the Activiti Workflow service.

Resolution:

Deploy the relevant patch bundle.

See Also

How do I migrate my existing BPMN workflows after upgrading to IDM 5.5 or applying Security Advisory #201705?



Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.

Recommended Books

Loading...