This advisory does not apply to the ForgeRock Identity Cloud. This advisory only
ForgeRock are aware of a serious vulnerability (CVE-2022-21449) in the implementation of certain cryptographic operations in Java JDK versions 15 and later. This vulnerability affects Oracle Java and OpenJDK, including other JDKs derived from OpenJDK. ForgeRock have informed the OpenJDK vulnerability team about the issue and a fix is being worked on. Until a fix is ready from your JDK vendor, ForgeRock advises our customers not to deploy to production with any affected versions of Java.
- April 20, 2022: Oracle have issued a Critical Patch Update Advisory, which fixes this vulnerability.
As this is a bug in the Java runtime environment, ForgeRock is not able to offer patches. We recommend following the advice or workarounds in this advisory.
ForgeRock supports customers using Java 8 and 11. Other versions might work as well; in which case you should note the suggested Bouncy Castle workaround. However, when opening a support ticket for an issue, please make sure you can also reproduce the problem on a supported Java version.
You can secure your deployments using one of the following two options:
- Option 1: Deploy ForgeRock products with Java 11 only. This is the preferred solution. Java 11 is the only long-term supported (LTS) Java version supported for most ForgeRock products.
- Option 2: Configure your JVM to use Bouncy Castle as the preferred cryptographic provider as these libraries are not vulnerable. You will need to ensure the corresponding JCE provider JAR is installed and then configure it as the preferred provider in the java.security file (this can be found in the $JAVA_HOME directory; the exact path varies by version but a common location is $JAVA_HOME/conf/security).
Setting up Bouncy Castle Example (Applies only to Option 2)
- Download the latest bcprov-ext-jdk15on-xxx.jar and bcprov-jdk15on-xxx.jar files from Bouncy Castle if needed; they are listed in the SIGNED JAR FILES section.
- Copy these two jar files to a directory that the JVM searches.
- Ensure the file permissions for these two jar files are set to allow them to be read.
- Update the list of security providers in the JVM to put Bouncy Castle first and then renumber the other security providers to follow. This list is set in the java.security text file. The security provider list should now look similar to this: security.provider.1=BC|org.bouncycastle.jce.provider.BouncyCastleProvider security.provider.2=SUN [...]This step is recommended by Bouncy Castle and you can read more about it here: The Legion of the Bouncy Castle - Specifications.
- Save this file and restart the relevant ForgeRock product.
See Configure the Provider for further information.
The following table tracks changes to the advisory:
|April 20, 2022||Added CVE and link to Oracle Critical Patch Update Advisory|
|November 18, 2021||Initial release|