If you have integrated Identity Cloud with Web Agents, you should secure your Web Agents as recommended in this security advisory.
Security vulnerabilities have been discovered in supported versions of Web Agents. These vulnerabilities affect versions 5.6.3, 5.7.0, 5.8.0, 5.8.1 and 5.8.2.
The maximum severity of issues in this advisory is High.
The advice is to upgrade. In some cases, a workaround is given which may be suitable, but an upgrade to the latest version is the recommended approach.
Details about these vulnerabilities are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.
See Upgrading Web Agents for upgrade instructions.
|Affected versions||Web Agent 5.6.3, 5.7.0, 5.8.0, 5.8.1 and 5.8.2|
An unauthenticated attacker can attack a non-default configured agent logout endpoint, causing a web server worker process to crash. Other non-default settings need to be set in order for this to be exploitable.
You can secure your Agents using one of the following two options:
- Add a proxy rule to redirect traffic from the agent logout endpoint(s) to <AM URL>/UI/Logout.
- Disable the agent logout by either removing the Agent Logout URL Regular Expression or Logout URL List of the agent logout URL. See AM Services Properties for further information.
Upgrade to a fixed version.
The following table tracks changes to the security advisory:
|August 23, 2021||Added link to upgrade instructions|
|August 3, 2021||Added 5.6.3 as an affected version and removed the “could be present in older unsupported versions” text because it does not affect earlier versions|
|July 8, 2021||Initial release|