AM Security Advisory #202204
Several security vulnerabilities have been discovered in supported versions of Access Management (AM). These vulnerabilities affect versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 6.5.4, 7.0.x, 7.1 and 7.1.1, and could be present in older unsupported versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory.
1 reader recommends this article
Identity Cloud customers
This security advisory does not apply to the ForgeRock Identity Cloud. This security advisory only applies to software deployments of the ForgeRock Identity Platform.
October 12, 2022
Several security vulnerabilities have been discovered in supported versions of AM. These vulnerabilities affect versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 6.5.4, 7.0.x, 7.1 and 7.1.1, and could be present in older unsupported versions.
The maximum severity of issues in this advisory is High.
Note
The advice is to upgrade to the latest version to fix these issues. Alternatively, if that’s not possible at this time, you can apply a workaround (if one is provided) or apply one of the patches to mitigate these issues.
Details about these vulnerabilities are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.
You can download patches from Backstage for the following versions:
See How do I install an AM patch (All versions) supplied by ForgeRock support? for further information on deploying the patch. If you have existing patches, please raise a ticket to obtain an updated patch.
Issue #202204-01: Cross Site Scripting (XSS)
| Affected versions | AM 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 6.5.4, 7.0.x, 7.1 and 7.1.1 |
|---|---|
| Fixed versions | AM 6.5.5, AM 7.1.2, AM 7.2 |
| Component | Core Server |
| Severity | High |
Description:
AM is vulnerable to cross-site scripting (XSS) attacks, which could lead to session hijacking or phishing:
- /oauth2/authorize (fixed in AM 7.1.2)
- /oauth2/authorize with custom login url template (fixed in AM 6.5.4, AM 7.1.1)
- /authenticate (fixed in AM 7.0.1, AM 7.1)
Workaround:
The oauth2/authorize endpoint is used in some OAuth2/OIDC flows, and by AM Agents 5 and above. You can protect the oauth2/authorize endpoint with the container (for example, using the mod_security Apache module) or filter external requests if the endpoint is not used, or until a patch is deployed.
Resolution:
Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.1 and 7.1.1 is provided in the AM 7.1.2 release.
Issue #202204-02: LDAP Injection Vulnerability (CVE-2022-24670)
| Affected versions | AM 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 6.5.4, 7.0.x, 7.1 and 7.1.1 |
|---|---|
| Fixed versions | AM 6.5.5, AM 7.1.2, AM 7.2 |
| Component | Core Server |
| Severity | High |
Description:
A well-crafted request can cause LDAP injection on a particular endpoint.
Workaround:
Restrict access to the /jaxrpc endpoint. Note /jaxrpc endpoints are used by older remote AM SDK endpoints, including ssoadm.
Resolution:
Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.1 and 7.1.1 is provided in the AM 7.1.2 release.
Issue #202204-03: Sensitive Data Exposure
| Affected versions | AM 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 6.5.4, 7.0.x, 7.1 and 7.1.1 |
|---|---|
| Fixed versions | AM 6.5.5, AM 7.1.2, AM 7.2 |
| Component | Core Server |
| Severity | Medium |
Description:
Certain sensitive data may be exposed in the logs or stored in the configuration store unencrypted.
Workaround:
None.
Resolution:
Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.1 and 7.1.1 is provided in the AM 7.1.2 release.
Issue #202204-04: Security Misconfiguration
| Affected versions | AM 6.5.4, 7.0.2 and 7.1 |
|---|---|
| Fixed versions | AM 6.5.5, AM 7.1.1, AM 7.2 |
| Component | Core Server |
| Severity | Medium |
Description:
After upgrading to AM 6.5.4, AM 7.0.2 or AM 7.1.0, the OIDC Provider Discovery option is re-enabled. This issue only happens if you have applied the AM 202106-03 security patch AND upgraded to AM 6.5.4, AM 7.0.2 or AM 7.1.0 AND you have disabled the OIDC Provider Discovery.
If this is true of your deployment, then it may be possible to perform user enumeration on a vulnerable endpoint.
Workaround:
Disable the OIDC Provider Discovery again. You can do this by going to Realms > [Realm Name] > Services > OAuth2 Provider > OpenID Connect and disabling the OIDC Provider Discovery option.
Resolution:
You can resolve this in one of two ways:
- Upgrade to a fixed version. The fix for AM 7.1 is provided in the AM 7.1.1 release.
- If for some reason you need to upgrade to AM 6.5.4, 7.0.2 or 7.1, deploy the relevant patch before upgrading to an affected version.
Issue #202204-05: Security Misconfiguration
| Affected versions | AM 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3 and 6.5.4 |
|---|---|
| Fixed versions | AM 6.5.5 |
| Component | Core Server |
| Severity | Medium |
Description:
A well-crafted request may be able to enable a certain setting that could cause a denial of service.
Workaround:
Disable or block access to the /index.jsp endpoint.
Resolution:
Upgrade to a fixed version or deploy the relevant patch.
Issue #202204-06: Open Redirect
| Affected versions | AM 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.x and 7.1 |
|---|---|
| Fixed versions | AM 6.5.4, AM 7.1.1, AM 7.2 |
| Component | Core Server |
| Severity | Medium |
Description:
Certain redirect URL structures may not be correctly validated, allowing an attacker to redirect an end-user to a site they control.
Workaround:
None.
Resolution:
Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.1 is provided in the AM 7.1.1 release.
Issue #202204-07: Security Misconfiguration
| Affected versions | AM 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 6.5.4, 7.0.x and 7.1 |
|---|---|
| Fixed versions | AM 6.5.5, AM 7.1.1, AM 7.2 |
| Component | Core Server |
| Severity | Medium |
Description:
In certain configurations, the JWK cache timeout is not honored. This may allow compromised keys to be used indefinitely.
Workaround:
When removing a key from the published JWK Set, the provider can also introduce a new key with a fresh key ID and start using that for new ID tokens.
Resolution:
Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.1 is provided in the AM 7.1.1 release.
Issue #202204-08: Broken Access Control (CVE-2022-24669)
| Affected versions | AM 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 6.5.4, 7.0.x and 7.1 |
|---|---|
| Fixed versions | AM 6.5.5, AM 7.1.1, AM 7.2 |
| Component | Core Server |
| Severity | Medium |
Description:
It may be possible to gain some details of the deployment through a well-crafted attack. This may allow that data to be used to probe internal network services.
Workaround:
Restrict access to the /jaxrpc endpoint.
Resolution:
Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.1 is provided in the AM 7.1.1 release.
Issue #202204-09: Security Misconfiguration
| Affected versions | AM 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 6.5.4, 7.0.x and 7.1 |
|---|---|
| Fixed versions | AM 6.5.5, AM 7.1.1, AM 7.2 |
| Component | Core Server |
| Severity | Medium |
Description:
Some token endpoints may not enforce case-sensitive checks, reducing the effective entropy of certain tokens.
Workaround:
None.
Resolution:
Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.1 is provided in the AM 7.1.1 release.
See Also
Change Log
The following table tracks changes to the security advisory:
| Date | Description |
|---|---|
| October 24, 2022 | Changed ‘patch release’ references to ‘release’ to avoid confusion |
| October 12, 2022 | Initial release |
| October 27, 2022 | Added CVE information to 2022-02 and 2022-08 |