Security Advisory
ForgeRock Identity Platform
ForgeRock Identity Cloud

Web Agents Security Advisory #202107

Last updated Sep 21, 2021

A security vulnerability has been discovered in supported versions of Web Agents. This vulnerability affects versions 5.7.0, 5.7.1, 5.7.2, 5.8.0, 5.8.1, 5.8.2, and 5.8.2.1. You should secure your deployments at the earliest opportunity as outlined in this security advisory.


Identity Cloud customers

If you have integrated Web Agents with Identity Cloud, you should secure your Web Agents as recommended in this security advisory.

September 20, 2021

A security vulnerability has been discovered in supported versions of Web Agents. This vulnerability affects versions 5.7.0, 5.7.1, 5.7.2, 5.8.0, 5.8.1, 5.8.2, and 5.8.2.1.

The maximum severity of issues in this advisory is High.

Note

The advice is to upgrade. In some cases, a workaround is given, which may be suitable, but an upgrade to the latest version is the recommended approach.

Details about this vulnerability are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.

See Upgrade Web Agent for upgrade instructions.

Issue #202107-01

Affected versions 5.7.0, 5.7.1, 5.7.2, 5.8.0, 5.8.1, 5.8.2, 5.8.2.1
Fixed versions 5.9.0 
Component Web Agent
Severity High 

Description:

An unauthenticated attacker can attack an agent endpoint with a cookie, causing a web server worker process to crash. The non-default option org.forgerock.openam.agents.config.multivalue.pre.authn.cookies needs to be 1 for this to be exploitable.

Workaround:

If org.forgerock.openam.agents.config.multivalue.pre.authn.cookies=1 then change it to org.forgerock.openam.agents.config.multivalue.pre.authn.cookies=0.

See SSO Properties for details.

Resolution:

Upgrade to a fixed version.

Change Log

The following table tracks changes to the security advisory:

Date  Description
September 21, 2021 Corrected doc link
September 20, 2021 Initial release

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.