Security Advisory
ForgeRock Identity Platform
Does not apply to Identity Cloud

AM Security Advisory #202101

Last updated Feb 24, 2021

Security vulnerabilities have been discovered in AM components. These issues may be present in AM 7.0, 6.5.0-6.5.2.3, 6.0.0-6.0.0.7, 5.0.0-5.5.2 and earlier versions.

1 reader recommends this article

Note

This security advisory only applies to software deployments of the ForgeRock Identity Platform. All relevant patches from this advisory have already been applied to the ForgeRock Identity Cloud.

February 1, 2021  

Security vulnerabilities have been discovered in AM components. These issues may be present in AM 7.0, 6.5.0-6.5.2.3, 6.0.0-6.0.0.7, 5.0.0-5.5.2 and earlier versions. 

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds, patches or Patch Releases are available for all the issues.

The maximum severity of issues in this advisory is Critical. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

If an upgrade is not possible, the recommendation is to deploy the relevant patches or if the fix is in a patch release, upgrade to that patch release.

Per ForgeRock's Maintenance and Patch availability policy, we have provided patches for the latest maintenance release and the previous maintenance release for the 6.5.x versions. We have also extended this to the 5.5.x versions. You can obtain patch bundles for the following versions from BackStage:

  • 6.5.2.3
  • 6.5.1
  • 5.5.2
  • 5.5.1

For all other versions, it is strongly recommended you upgrade to the latest maintenance version.

Issue #202101-01: Remote code execution

Product AM
Affected versions 5.0.0-5.5.1, 6.0.0-6.0.0.7, 6.5.0-6.5.1
Fixed versions 5.5.2, 6.5.2, 7.0.0
Component Core Server
Severity Critical

Description:

Using a well-constructed request an attacker may be able to perform remote code execution by sending a specially crafted request to an exposed remote endpoint.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch.

Issue #202101-02: Remote Code Execution

Product AM
Affected versions  5.0.0-5.5.2, 6.0.0-6.0.0.7, 6.5.0-6.5.2
Fixed versions 6.5.2.1, 6.5.3, 7.0.0 
Component Core Server
Severity High

Description:

It may be possible to use unsafe reflection to perform remote code execution.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch.

Issue #202101-03: Broken Authentication

Product AM
Affected versions 5.0.0-5.5.2, 6.0.0-6.0.0.7, 6.5.0-6.5.2
Fixed versions 6.5.2.1, 6.5.3, 7.0.0
Component Core Server
Severity High

Description:

It may be possible to bypass authentication checks on some OAuth2 Clients.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch.

Issue #202101-04: Cross-Site Request Forgery (CSRF)

Product AM
Affected versions 5.0.0-5.5.1, 6.0.0-6.0.0.7, 6.5.0-6.5.2.3
Fixed versions 5.5.2, 6.5.3, 7.0.0
Component Core Server
Severity High 

Description:

AM is vulnerable to cross-site scripting (CSRF) attacks which could cause the end user to execute unwanted actions on a web application in which they're currently authenticated.

Workaround:

Set Default Resource Version to "None", or in AM 6 onwards, ensure the CsrfFilter is enabled.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch.

Issue #202101-05: Information Exposure

Product AM
Affected versions 5.0.0-5.5.1, 6.0.0-6.0.0.7, 6.5.0-6.5.2.3
Fixed versions 5.5.2, 6.5.3, 7.0.0
Component Core Server
Severity Medium

Description:

AM contains debugging code or error messages that can expose sensitive information or too much detail either in the logs or in error response calls.

Workaround:

Do not enable message level debug for log issues and sanitize error responses.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #202101-06: Cross Site Scripting

Product AM
Affected versions 5.0.0-5.5.1, 6.0.0-6.0.0.7, 6.5.0-6.5.2.3
Fixed versions 5.5.2, 6.5.3, 7.0.0
Component Core Server
Severity Medium

Description:

AM is vulnerable to cross-site scripting (XSS) attacks which could lead to session hijacking or phishing.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #202101-07: Account Enumeration

Product AM
Affected versions 5.0.0-5.5.1, 6.0.0-6.0.0.7, 6.5.0-6.5.2.1
Fixed versions 5.5.2, 6.5.2.2, 6.5.3
Component Core Server
Severity Medium

Description:

It may be possible to perform user enumeration on a vulnerable endpoint.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #202101-08:Business Logic Vulnerability

Product AM
Affected versions 5.0.0-5.5.2, 6.0.0-6.0.0.7, 6.5.0-6.5.2.3
Fixed versions 6.5.3, 7.0.0
Component Core Server
Severity Medium

Description:

It may be possible to bypass re-authentication on a certain OpenID Connect flow. 

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #202101-09:Business Logic Vulnerability

Product AM
Affected versions 5.0.0-5.5.1, 6.0.0-6.0.0.7, 6.5.0-6.5.2.1
Fixed versions 5.5.2, 6.5.2.2, 6.5.3
Component Core Server
Severity Medium

Description:

Disabling the account does not prevent OAuth2 access or authorization codes to be issued and will still allow access to the introspect and token issue endpoints.

Workaround:

Remove the account instead of disabling it.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #202101-10: Information Exposure

Product AM
Affected versions 7.0.0
Fixed versions 7.0.1
Component Core Server
Severity Medium

Description:

In a certain flow, sensitive data is sent as a URL parameter and this could result in this being logged in proxies or server logs.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle. The fix for AM 7.0.0 is provided in patch release 7.0.1. 

Issue #202101-11: Cache Manipulation

Product AM
Affected versions 5.0.0-5.5.2, 6.0.0-6.0.0.7, 6.5.0-6.5.2.3
Fixed versions 6.5.3, 7.0.0
Component Core Server
Severity Medium

Description:

It may be possible to store arbitrary data in an AM cache. 

Workaround:

Disable the cache as follows:

  • Using ssoadm:./ssoadm update-server-cfg -s default -u amadmin -f pwd.txt -a com.iplanet.am.sdk.caching.enabled=false com.sun.identity.sm.cache.enabled=true
  • Using the console:
    1. Navigate to Deployment > Servers > Server Name > Advanced.
    2. Set the value of the com.iplanet.am.sdk.caching.enabled property to false to disable caching overall.
    3. Set the value of the com.sun.identity.sm.cache.enabled property to true to enable configuration data caching.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #202101-12: Missing Access Control

Product AM
Affected versions 5.0.0-5.5.2, 6.0.0-6.0.0.7, 6.5.0-6.5.2.3
Fixed versions 6.5.3, 7.0.0
Component Core Server
Severity Low

Description:

Through a well-crafted attack, it may be possible to force a downgrade attack in the processing of PKCE (OAuth2).

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Change Log

The following table tracks changes to the security advisory:

Date  Description
February 24, 2021 Added ForgeRock Identity Platform taxon to improve categorization
February 8, 2021

Reduced severity of Issues #202101-06 and #202101-07 to Medium (from High)

Removed a fixed version from issue 202101-02 as it was never released
February 4, 2021 Added text to clarify this does not apply to the ForgeRock Identity Cloud
February 1, 2021 Initial release
Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.