Security Advisory
ForgeRock Identity Platform
Does not apply to Identity Cloud

AM Security Advisory #202207

Last updated Jan 25, 2023

A security vulnerability has been discovered in supported versions of Access Management (AM). This vulnerability affects all current versions of AM, and could be present in older unsupported versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory.


3 readers recommend this article
Identity Cloud customers

This security advisory only applies to software deployments of the ForgeRock Identity Platform. All relevant patches from this advisory have already been applied to ForgeRock Identity Cloud.

January 25, 2023

A security vulnerability has been discovered in supported versions of AM. This vulnerability affects all current versions of AM, and could be present in older unsupported versions.

The maximum severity of issues in this advisory is Critical.

Note

The advice for AM customers is to install the appropriate patch to fix this issue.

Details about this vulnerability are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.

You can download patches from Backstage for the following AM versions:

See How do I install an AM patch (All versions) supplied by ForgeRock support? for further information on deploying the patch. 

If you need a patch for a different version or you have existing patches, please raise a support ticket to obtain an updated patch; you should provide details of your existing patches when you raise the ticket to ensure we have the relevant details. See How do I use the patchinfo utility to check what patches are installed for AM or IG (All versions)? or How do I check what patches are installed for ForgeRock products? for further information.

Issue #202207-01 - Improper Authorization (CWE-285)

Affected versions AM (all supported versions and perhaps older unsupported versions)
Fixed versions N/A
Component Core Server
Severity Critical

Description:

A critical severity Improper Authorization (CWE-285) vulnerability has been discovered in supported versions of AM that can lead to user account impersonation and takeover.

Mitigation:

Due to the sensitive nature of this issue, please contact ForgeRock support by raising a ticket via Backstage. Please include "AM Security Advisory #202207" in the ticket subject. 

Resolution:

Deploy the relevant patch.

Change Log

The following table tracks changes to the security advisory:

Date  Description
January 25, 2023 Initial release

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.