Security Advisory
ForgeRock Identity Platform
Does not apply to Identity Cloud

AM/OpenAM Web Agents Security Advisory #201904

Last updated Aug 18, 2022

Security vulnerabilities have been discovered in AM/OpenAM Web agents.

September 4, 2019

2 security vulnerabilities have been discovered in AM/OpenAM Web agents. 

This advisory provides guidance on how to ensure your deployments can be secured. A fix for the vulnerabilities is available in the latest releases for Web Agents 4 and 5 respectively. 

The maximum severity of issues in this advisory is High. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade to Web Agents or Web Agents

Customers can obtain the Agents fixed versions from Backstage.

Issue #201904-01

Product OpenAM Web Agents
Affected versions 4.0.x, 4.1.x, 4.2.0,,
Fixed versions
Component Web Agent
Severity High


In libexpat in Expat before 2.2.7, XML input (including XML names that contain a large number of colons) could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks). 




Upgrade to Web Agent (which includes an updated expat library version) or use Agents 5.x which is not affected because it does not use this library.

Issue #201904-02

Product AM/OpenAM Web Agents
Affected versions 4.1.x, 4.2.0,,, 5.0.x, 5.5.x
Fixed versions,
Component Nginx Web Agent 
Severity High


The Nginx Web Agent does not obey client body size max directive of chunk encoded data. Apache and IIS agents are not affected.


Agents 4.x only: Don't use Post Data Preservation.


Update/upgrade to a fixed version.

Change Log

The following table tracks changes to the security advisory:

Date  Description
August 18, 2022 No changes to content - just corrected Backstage link
February 24, 2021 Added ForgeRock Identity Platform taxon to improve categorization
September 4, 2019 Initial release

Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.