AM Security Advisory #202101
Security vulnerabilities have been discovered in AM components. These issues may be present in AM 7.0, 6.5.0-6.5.2.3, 6.0.0-6.0.0.7, 5.0.0-5.5.2 and earlier versions.
1 reader recommends this article
Note
This security advisory only applies to software deployments of the ForgeRock Identity Platform. All relevant patches from this advisory have already been applied to the ForgeRock Identity Cloud.
February 1, 2021
Security vulnerabilities have been discovered in AM components. These issues may be present in AM 7.0, 6.5.0-6.5.2.3, 6.0.0-6.0.0.7, 5.0.0-5.5.2 and earlier versions.
This advisory provides guidance on how to ensure your deployments can be secured. Workarounds, patches or Patch Releases are available for all the issues.
The maximum severity of issues in this advisory is Critical. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.
If an upgrade is not possible, the recommendation is to deploy the relevant patches or if the fix is in a patch release, upgrade to that patch release.
- 6.5.2.3
- 6.5.1
- 5.5.2
- 5.5.1
For all other versions, it is strongly recommended you upgrade to the latest maintenance version.
Issue #202101-01: Remote code execution
Product | AM |
---|---|
Affected versions | 5.0.0-5.5.1, 6.0.0-6.0.0.7, 6.5.0-6.5.1 |
Fixed versions | 5.5.2, 6.5.2, 7.0.0 |
Component | Core Server |
Severity | Critical |
Description:
Using a well-constructed request an attacker may be able to perform remote code execution by sending a specially crafted request to an exposed remote endpoint.
Workaround:
None.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch.
Issue #202101-02: Remote Code Execution
Product | AM |
---|---|
Affected versions | 5.0.0-5.5.2, 6.0.0-6.0.0.7, 6.5.0-6.5.2 |
Fixed versions |
|
Component | Core Server |
Severity | High |
Description:
It may be possible to use unsafe reflection to perform remote code execution.
Workaround:
None.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch.
Issue #202101-03: Broken Authentication
Product | AM |
---|---|
Affected versions | 5.0.0-5.5.2, 6.0.0-6.0.0.7, 6.5.0-6.5.2 |
Fixed versions | 6.5.2.1, 6.5.3, 7.0.0 |
Component | Core Server |
Severity | High |
Description:
It may be possible to bypass authentication checks on some OAuth2 Clients.
Workaround:
None.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch.
Issue #202101-04: Cross-Site Request Forgery (CSRF)
Product | AM |
---|---|
Affected versions | 5.0.0-5.5.1, 6.0.0-6.0.0.7, 6.5.0-6.5.2.3 |
Fixed versions | 5.5.2, 6.5.3, 7.0.0 |
Component | Core Server |
Severity | High |
Description:
AM is vulnerable to cross-site scripting (CSRF) attacks which could cause the end user to execute unwanted actions on a web application in which they're currently authenticated.
Workaround:
Set Default Resource Version to "None", or in AM 6 onwards, ensure the CsrfFilter is enabled.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch.
Issue #202101-05: Information Exposure
Product | AM |
---|---|
Affected versions | 5.0.0-5.5.1, 6.0.0-6.0.0.7, 6.5.0-6.5.2.3 |
Fixed versions | 5.5.2, 6.5.3, 7.0.0 |
Component | Core Server |
Severity | Medium |
Description:
AM contains debugging code or error messages that can expose sensitive information or too much detail either in the logs or in error response calls.
Workaround:
Do not enable message level debug for log issues and sanitize error responses.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.
Issue #202101-06: Cross Site Scripting
Product | AM |
---|---|
Affected versions | 5.0.0-5.5.1, 6.0.0-6.0.0.7, 6.5.0-6.5.2.3 |
Fixed versions | 5.5.2, 6.5.3, 7.0.0 |
Component | Core Server |
Severity | Medium |
Description:
AM is vulnerable to cross-site scripting (XSS) attacks which could lead to session hijacking or phishing.
Workaround:
None.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.
Issue #202101-07: Account Enumeration
Product | AM |
---|---|
Affected versions | 5.0.0-5.5.1, 6.0.0-6.0.0.7, 6.5.0-6.5.2.1 |
Fixed versions | 5.5.2, 6.5.2.2, 6.5.3 |
Component | Core Server |
Severity | Medium |
Description:
It may be possible to perform user enumeration on a vulnerable endpoint.
Workaround:
None.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.
Issue #202101-08:Business Logic Vulnerability
Product | AM |
---|---|
Affected versions | 5.0.0-5.5.2, 6.0.0-6.0.0.7, 6.5.0-6.5.2.3 |
Fixed versions | 6.5.3, 7.0.0 |
Component | Core Server |
Severity | Medium |
Description:
It may be possible to bypass re-authentication on a certain OpenID Connect flow.
Workaround:
None.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.
Issue #202101-09:Business Logic Vulnerability
Product | AM |
---|---|
Affected versions | 5.0.0-5.5.1, 6.0.0-6.0.0.7, 6.5.0-6.5.2.1 |
Fixed versions | 5.5.2, 6.5.2.2, 6.5.3 |
Component | Core Server |
Severity | Medium |
Description:
Disabling the account does not prevent OAuth2 access or authorization codes to be issued and will still allow access to the introspect and token issue endpoints.
Workaround:
Remove the account instead of disabling it.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.
Issue #202101-10: Information Exposure
Product | AM |
---|---|
Affected versions | 7.0.0 |
Fixed versions | 7.0.1 |
Component | Core Server |
Severity | Medium |
Description:
In a certain flow, sensitive data is sent as a URL parameter and this could result in this being logged in proxies or server logs.
Workaround:
None.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle. The fix for AM 7.0.0 is provided in patch release 7.0.1.
Issue #202101-11: Cache Manipulation
Product | AM |
---|---|
Affected versions | 5.0.0-5.5.2, 6.0.0-6.0.0.7, 6.5.0-6.5.2.3 |
Fixed versions | 6.5.3, 7.0.0 |
Component | Core Server |
Severity | Medium |
Description:
It may be possible to store arbitrary data in an AM cache.
Workaround:
Disable the cache as follows:
- Using ssoadm:./ssoadm update-server-cfg -s default -u amadmin -f pwd.txt -a com.iplanet.am.sdk.caching.enabled=false com.sun.identity.sm.cache.enabled=true
- Using the console:
- Navigate to Deployment > Servers > Server Name > Advanced.
- Set the value of the
com.iplanet.am.sdk.caching.enabled
property to false to disable caching overall. - Set the value of the
com.sun.identity.sm.cache.enabled
property to true to enable configuration data caching.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.
Issue #202101-12: Missing Access Control
Product | AM |
---|---|
Affected versions | 5.0.0-5.5.2, 6.0.0-6.0.0.7, 6.5.0-6.5.2.3 |
Fixed versions | 6.5.3, 7.0.0 |
Component | Core Server |
Severity | Low |
Description:
Through a well-crafted attack, it may be possible to force a downgrade attack in the processing of PKCE (OAuth2).
Workaround:
None.
Resolution:
Update/upgrade to a fixed version or deploy the relevant patch bundle.
Change Log
The following table tracks changes to the security advisory:
Date | Description |
---|---|
February 24, 2021 | Added ForgeRock Identity Platform taxon to improve categorization |
February 8, 2021 |
Reduced severity of Issues #202101-06 and #202101-07 to Medium (from High) Removed a fixed version from issue 202101-02 as it was never released |
February 4, 2021 | Added text to clarify this does not apply to the ForgeRock Identity Cloud |
February 1, 2021 | Initial release |