AM Security Advisory #202207
A security vulnerability has been discovered in supported versions of Access Management (AM). This vulnerability affects all current versions of AM, and could be present in older unsupported versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory.
Identity Cloud customers
This security advisory only applies to software deployments of the ForgeRock Identity Platform. All relevant patches from this advisory have already been applied to ForgeRock Identity Cloud.
January 25, 2023
A security vulnerability has been discovered in supported versions of AM. This vulnerability affects all current versions of AM, and could be present in older unsupported versions.
The maximum severity of issues in this advisory is Critical.
Note
The advice is to upgrade to the latest version to fix these issues. Alternatively, if that’s not possible at this time, you can apply one of the patches to mitigate these issues.
Details about this vulnerability are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.
You can download patches from Backstage for the following AM versions:
Note
Customers who obtained a patch with 202207 in the name for AM 7.x need to replace those patches with a 202301 version.
For Customers who had already raised a ticket for a custom 7.x patch, updated 202301 versions of those patches are being issued via the original support tickets.
Additional details are available in a34332318.
See How do I install a PingAM (AM) patch supplied by Ping support? for further information on deploying the patch.
If you need a patch for a different version or you have existing patches, please raise a support ticket to obtain an updated patch; you should provide details of your existing patches when you raise the ticket to ensure we have the relevant details. See How do I use the patchinfo utility to check what patches are installed for PingAM or PingGateway? or How do I check what patches are installed for Ping Identity Platform products? for further information.
Issue #202207-01 - Improper Authorization (CWE-285) - (CVE-2022-3748)
| Affected versions | AM (all supported versions and perhaps older unsupported versions) |
|---|---|
| Fixed versions | AM 7.2.1, AM 7.3 |
| Component | Core Server |
| Severity | Critical |
Description:
A critical severity Improper Authorization (CWE-285) vulnerability has been discovered in supported versions of AM that can lead to user account impersonation and takeover.
Mitigation:
Due to the sensitive nature of this issue, please contact ForgeRock support by raising a ticket via Backstage. Please include "AM Security Advisory #202207" in the ticket subject.
Resolution:
Deploy the relevant patch.
See Also
Change Log
The following table tracks changes to the security advisory:
| Date | Description |
|---|---|
| April 18, 2023 | Updated tags to improve search |
| April 14, 2023 | Added CVE information |
| April 13, 2023 | Made advisory available to everyone |
| April 5, 2023 | Added fixed versions (AM 7.2.1, AM 7.3) |
| February 10, 2023 | Updated content and added back updated patches for 7.1.2, 7.1.3 & 7.2.0 |
| February 6, 2023 | Expanded visibility of this advisory to partners |
| February 3, 2023 | Removed AM 7.2.0 and AM 7.1.3 download links whilst these patches are updated |
| February 1, 2023 | Removed AM 7.1.2 download link |
| January 25, 2023 | Initial release |