Identity Cloud customers
If you have integrated Web Agents with
A security vulnerability has been discovered in supported versions of Web Agents. This vulnerability affects versions 5.7.0, 5.7.1, 5.7.2, 5.8.0, 5.8.1, 5.8.2, and 220.127.116.11.
The maximum severity of issues in this advisory is High.
The advice is to upgrade. In some cases, a workaround is given, which may be suitable, but an upgrade to the latest version is the recommended approach.
Details about this vulnerability are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.
See Upgrade Web Agent for upgrade instructions.
|Affected versions||5.7.0, 5.7.1, 5.7.2, 5.8.0, 5.8.1, 5.8.2, 18.104.22.168|
An unauthenticated attacker can attack an agent endpoint with a cookie, causing a web server worker process to crash. The non-default option
org.forgerock.openam.agents.config.multivalue.pre.authn.cookies needs to be
1 for this to be exploitable.
org.forgerock.openam.agents.config.multivalue.pre.authn.cookies=1 then change it to
See SSO Properties for details.
Upgrade to a fixed version.
The following table tracks changes to the security advisory:
|August 18, 2022||No changes to content - just corrected Backstage link|
|September 21, 2021||Corrected doc link|
|September 20, 2021||Initial release|