Security Advisory
ForgeRock Identity Platform
Does not apply to Identity Cloud

AM Agents Security Advisory #202103

Last updated Jun 1, 2021

Security vulnerabilities have been discovered in AM Web and Java® Agent components.


27 May, 2021

Security vulnerabilities have been discovered in AM Web Agent and Java Agent components.

The Java Agent has two vulnerabilities and the Web Agent has one vulnerability.

This advisory provides guidance on how to ensure your deployments can be properly secured. The recommendation is to update AM Agents to version 5.8.2. Workarounds are available for all the issues.

The maximum severity of issues in this advisory is Medium. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade if the fix is in a later release. If an upgrade is not possible, the recommendation is to apply a workaround described in the advisory.

Release versions implementing the fixes are available from BackStage.

See Java Agent and Web Agent documentation for upgrade instructions.

Note

Identity Cloud customers using Remote Connector Server (RCS) or Identity Gateway (IG) are not impacted.

Issue #202103-01

Product AM Agents
Affected versions All versions 5.5.1.0 onwards and prior to 5.8.2
Fixed versions 5.8.2
Component AM Java Agent
Severity Medium

Description:

Post Data Preservation could be used as part of a reflected Cross Site Scripting (XSS) attack.

Workaround:

Turn off Post Data Preservation. This is done by setting Post Data Preservation Enabled to false in the AM Console for centralized mode and agent.conf for local mode.

Resolution:

Update/upgrade to a fixed version or apply the workaround.

Issue #202103-02

Product AM Agents
Affected versions All versions of Agent 5 prior to 5.8.2
Fixed versions 5.8.2
Component AM Web Agent, AM Java Agent
Severity Medium

Description:

When restricted tokens are enabled in AM or the Identity Cloud, and Web or Java Agent logout is configured without redirection to AM, then the token is still valid in AM. An attacker on the physical machine could use the restricted token to access that specific application when the user believed the session had ended.

Component Configuration Specifics:

Workaround:

Java Agent: 

  • Agent 5.5.2-5.8.1

Set a Logout Entry URI to go to an AM Logout URL, for example, org.forgerock.agents.logout.goto.map=<am url>/UI/Logout. Optionally, a goto url could also be used, for example, org.forgerock.agents.logout.goto.map=<am url>/UI/Logout?goto=<agenturl>/mywebapp/you_are_logged_out.html. For AM 7 or later, or the Identity Cloud to be able to use gotos after AM logouts, configure the Validation Service.  

  • Agent 5.0.0-5.5.1.0

Logout Entry URI uses a different property name, so use  com.sun.identity.agents.config.logout.entry.uri=<am url>/UI/Logout or com.sun.identity.agents.config.logout.entry.uri=<am url>/UI/Logout?goto=<agenturl>/mywebapp/you_are_logged_out.html. For AM 7 or later, or the Identity Cloud to be able to use gotos after AM logouts, configure the Validation Service

Web Agent:

Set Disabled Logout redirection to false and configure a valid AM Logout URL and logout redirect URL.

As an example for local configurations, add the properties to the agent.conf file:

com.forgerock.agents.config.logout.redirect.disable=false com.sun.identity.agents.config.logout.url[0]=<am url>/UI/Logout com.sun.identity.agents.config.logout.redirect.url=<agenturl>/you_are_logged_out.html

Read Logout Redirection for more details. 

Change Log

The following table tracks changes to the security advisory:

Date  Description
June 1, 2021 Minor editorial changes
May 27, 2021 Initial release

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.
Loading...