Security Advisory
ForgeRock Identity Platform
Does not apply to Identity Cloud

AM Security Advisory #202204

Last updated Oct 27, 2022

Several security vulnerabilities have been discovered in supported versions of Access Management (AM). These vulnerabilities affect versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 6.5.4, 7.0.x, 7.1 and 7.1.1, and could be present in older unsupported versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory.


1 reader recommends this article
Identity Cloud customers

This security advisory does not apply to the ForgeRock Identity Cloud. This security advisory only applies to software deployments of the ForgeRock Identity Platform. 

October 12, 2022

Several security vulnerabilities have been discovered in supported versions of AM. These vulnerabilities affect versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 6.5.4, 7.0.x, 7.1 and 7.1.1, and could be present in older unsupported versions.

The maximum severity of issues in this advisory is High.

Note

The advice is to upgrade to the latest version to fix these issues. Alternatively, if that’s not possible at this time, you can apply a workaround (if one is provided) or apply one of the patches to mitigate these issues.

Details about these vulnerabilities are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.

You can download patches from Backstage for the following versions:

See How do I install an AM patch (All versions) supplied by ForgeRock support? for further information on deploying the patch. If you have existing patches, please raise a ticket to obtain an updated patch.

Issue #202204-01: Cross Site Scripting (XSS)

Affected versions AM 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 6.5.4, 7.0.x, 7.1 and 7.1.1
Fixed versions AM 6.5.5, AM 7.1.2, AM 7.2
Component Core Server
Severity High

Description:

AM is vulnerable to cross-site scripting (XSS) attacks, which could lead to session hijacking or phishing:

  • /oauth2/authorize (fixed in AM 7.1.2)
  • /oauth2/authorize with custom login url template (fixed in AM 6.5.4, AM 7.1.1)
  • /authenticate (fixed in AM 7.0.1, AM 7.1)

Workaround:

The oauth2/authorize endpoint is used in some OAuth2/OIDC flows, and by AM Agents 5 and above. You can protect the oauth2/authorize endpoint with the container (for example, using the mod_security Apache module) or filter external requests if the endpoint is not used, or until a patch is deployed.

Resolution:

Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.1 and 7.1.1 is provided in the AM 7.1.2 release.

Issue #202204-02: LDAP Injection Vulnerability (CVE-2022-24670)

Affected versions AM 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 6.5.4, 7.0.x, 7.1 and 7.1.1
Fixed versions AM 6.5.5, AM 7.1.2, AM 7.2
Component Core Server
Severity High

Description:

A well-crafted request can cause LDAP injection on a particular endpoint.

Workaround:

Restrict access to the /jaxrpc endpoint. Note /jaxrpc endpoints are used by older remote AM SDK endpoints, including ssoadm.

Resolution:

Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.1 and 7.1.1 is provided in the AM 7.1.2 release.

Issue #202204-03: Sensitive Data Exposure

Affected versions AM 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 6.5.4, 7.0.x, 7.1 and 7.1.1
Fixed versions AM 6.5.5, AM 7.1.2, AM 7.2
Component Core Server
Severity Medium

Description:

Certain sensitive data may be exposed in the logs or stored in the configuration store unencrypted.

Workaround:

None.

Resolution:

Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.1 and 7.1.1 is provided in the AM 7.1.2 release.

Issue #202204-04: Security Misconfiguration

Affected versions AM 6.5.4, 7.0.2 and 7.1
Fixed versions AM 6.5.5, AM 7.1.1, AM 7.2
Component Core Server
Severity Medium

Description:

After upgrading to AM 6.5.4, AM 7.0.2 or AM 7.1.0, the OIDC Provider Discovery option is re-enabled. This issue only happens if you have applied the AM 202106-03 security patch AND upgraded to AM 6.5.4, AM 7.0.2 or AM 7.1.0 AND you have disabled the OIDC Provider Discovery.

If this is true of your deployment, then it may be possible to perform user enumeration on a vulnerable endpoint.

Workaround:

Disable the OIDC Provider Discovery again. You can do this by going to Realms > [Realm Name] > Services > OAuth2 Provider > OpenID Connect and disabling the OIDC Provider Discovery option.

Resolution:

You can resolve this in one of two ways:

  • Upgrade to a fixed version. The fix for AM 7.1 is provided in the AM 7.1.1 release.
  • If for some reason you need to upgrade to AM 6.5.4, 7.0.2 or 7.1, deploy the relevant patch before upgrading to an affected version. 

Issue #202204-05: Security Misconfiguration

Affected versions AM 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3 and 6.5.4
Fixed versions AM 6.5.5
Component Core Server
Severity Medium

Description:

A well-crafted request may be able to enable a certain setting that could cause a denial of service.

Workaround:

Disable or block access to the /index.jsp endpoint.

Resolution:

Upgrade to a fixed version or deploy the relevant patch.

Issue #202204-06: Open Redirect

Affected versions AM 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.x and 7.1
Fixed versions AM 6.5.4, AM 7.1.1, AM 7.2
Component Core Server
Severity Medium

Description:

Certain redirect URL structures may not be correctly validated, allowing an attacker to redirect an end-user to a site they control.

Workaround:

None.

Resolution:

Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.1 is provided in the AM 7.1.1 release.

Issue #202204-07: Security Misconfiguration

Affected versions AM 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 6.5.4, 7.0.x and 7.1
Fixed versions AM 6.5.5, AM 7.1.1, AM 7.2
Component Core Server
Severity Medium

Description:

In certain configurations, the JWK cache timeout is not honored. This may allow compromised keys to be used indefinitely.

Workaround:

When removing a key from the published JWK Set, the provider can also introduce a new key with a fresh key ID and start using that for new ID tokens.

Resolution:

Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.1 is provided in the AM 7.1.1 release.

Issue #202204-08: Broken Access Control (CVE-2022-24669)

Affected versions AM 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 6.5.4, 7.0.x and 7.1
Fixed versions AM 6.5.5, AM 7.1.1, AM 7.2
Component Core Server
Severity Medium

Description:

It may be possible to gain some details of the deployment through a well-crafted attack. This may allow that data to be used to probe internal network services.

Workaround:

Restrict access to the /jaxrpc endpoint.

Resolution:

Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.1 is provided in the AM 7.1.1 release.

Issue #202204-09: Security Misconfiguration

Affected versions AM 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 6.5.4, 7.0.x and 7.1
Fixed versions AM 6.5.5, AM 7.1.1, AM 7.2
Component Core Server
Severity Medium

Description:

Some token endpoints may not enforce case-sensitive checks, reducing the effective entropy of certain tokens.

Workaround:

None.

Resolution:

Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.1 is provided in the AM 7.1.1 release.

See Also

CVE-2022-24669

CVE-2022-24670

Change Log

The following table tracks changes to the security advisory:

Date  Description
October 24, 2022 Changed ‘patch release’ references to ‘release’ to avoid confusion 
October 12, 2022 Initial release
October 27, 2022 Added CVE information to 2022-02 and 2022-08

Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.