Identity Cloud customers
This security advisory only applies to software deployments of the ForgeRock Identity Platform. All relevant patches from this advisory have already been applied to ForgeRock Identity Cloud.
A security vulnerability has been discovered in supported versions of AM. This vulnerability affects all current versions of AM, and could be present in older unsupported versions.
The maximum severity of issues in this advisory is Critical.
The advice for AM customers is to install the appropriate patch to fix this issue.
Details about this vulnerability are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.
You can download patches from Backstage for the following AM versions:
See How do I install an AM patch (All versions) supplied by ForgeRock support? for further information on deploying the patch.
If you need a patch for a different version or you have existing patches, please raise a support ticket to obtain an updated patch; you should provide details of your existing patches when you raise the ticket to ensure we have the relevant details. See How do I use the patchinfo utility to check what patches are installed for AM or IG (All versions)? or How do I check what patches are installed for ForgeRock products? for further information.
|Affected versions||AM (all supported versions and perhaps older unsupported versions)|
A critical severity Improper Authorization (CWE-285) vulnerability has been discovered in supported versions of AM that can lead to user account impersonation and takeover.
Due to the sensitive nature of this issue, please contact ForgeRock support by raising a ticket via Backstage. Please include "AM Security Advisory #202207" in the ticket subject.
Deploy the relevant patch.
The following table tracks changes to the security advisory:
|January 25, 2023||Initial release|