Security Advisory
ForgeRock Identity Platform
ForgeRock Identity Cloud

Web Agents Security Advisory #202105

Last updated Jul 8, 2021

Security vulnerabilities have been discovered in supported versions of Web Agents. These vulnerabilities affect versions 5.7.0, 5.8.0, 5.8.1 and 5.8.2, and could be present in older unsupported versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory.


Identity Cloud customers

If you have integrated Identity Cloud with Web Agents, you should secure your Web Agents as recommended in this security advisory.

July 8, 2021

Security vulnerabilities have been discovered in supported versions of Web Agents. These vulnerabilities affect versions 5.7.0, 5.8.0, 5.8.1 and 5.8.2, and could be present in older unsupported versions.

The maximum severity of issues in this advisory is High.

Note

The advice is to upgrade. In some cases, a workaround is given which may be suitable, but an upgrade to the latest version is the recommended approach.

Details about these vulnerabilities are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.

Issue #202105-01

Affected versions Web Agent 5.7.0, 5.8.0, 5.8.1 and 5.8.2 
Fixed versions 5.8.2.1 
Component Web Agent
Severity High

Description:

An unauthenticated attacker can attack a non-default configured agent logout endpoint, causing a web server worker process to crash. Other non-default settings need to be set in order for this to be exploitable.

Workaround:

You can secure your Agents using one of the following two options:

  • Add a proxy rule to redirect traffic from the agent logout endpoint(s) to <AM URL>/UI/Logout.
  • Disable the agent logout by either removing the Agent Logout URL Regular Expression or Logout URL List of the agent logout URL. See AM Services Properties for further information.

Resolution:

Upgrade to a fixed version.

Change Log

The following table tracks changes to the security advisory:

Date  Description
July 8, 2021  Initial release


Copyright and TrademarksCopyright © 2021 ForgeRock, all rights reserved.
Loading...