27 May, 2021
Security vulnerabilities have been discovered in AM Web Agent and Java Agent components.
The Java Agent has two vulnerabilities and the Web Agent has one vulnerability.
This advisory provides guidance on how to ensure your deployments can be properly secured. The recommendation is to update AM Agents to version 5.8.2. Workarounds are available for all the issues.
The maximum severity of issues in this advisory is Medium. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.
The recommendation is to upgrade if the fix is in a later release. If an upgrade is not possible, the recommendation is to apply a workaround described in the advisory.
Release versions implementing the fixes are available from BackStage.
Identity Cloud customers using Remote Connector Server (RCS) or Identity Gateway (IG) are not impacted.
|Affected versions||All versions 188.8.131.52 onwards and prior to 5.8.2|
|Component||AM Java Agent|
Post Data Preservation could be used as part of a reflected Cross Site Scripting (XSS) attack.
Update/upgrade to a fixed version or apply the workaround.
|Affected versions||All versions of Agent 5 prior to 5.8.2|
|Component||AM Web Agent, AM Java Agent|
When restricted tokens are enabled in AM or the Identity Cloud, and Web or Java Agent logout is configured without redirection to AM, then the token is still valid in AM. An attacker on the physical machine could use the restricted token to access that specific application when the user believed the session had ended.
Component Configuration Specifics:
- The Java Agent doesn't log out restricted tokens correctly when a Logout request parameter or Application Logout URI is set in the agent.
- The Web Agent doesn't log out restricted tokens correctly when a logout URL is accessed. This can be configured by using either Logout URL List or Agent Logout URL Regular Expression if the Invalidate Logout Session property is set to true and Logout redirect disable is set to true.
- Agent 5.5.2-5.8.1
Set a Logout Entry URI to go to an AM Logout URL, for example,
org.forgerock.agents.logout.goto.map=<am url>/UI/Logout. Optionally, a goto url could also be used, for example,
org.forgerock.agents.logout.goto.map=<am url>/UI/Logout?goto=<agenturl>/mywebapp/you_are_logged_out.html. For AM 7 or later, or the Identity Cloud to be able to use gotos after AM logouts, configure the Validation Service.
- Agent 5.0.0-184.108.40.206
Logout Entry URI uses a different property name, so use
com.sun.identity.agents.config.logout.entry.uri=<am url>/UI/Logout or
com.sun.identity.agents.config.logout.entry.uri=<am url>/UI/Logout?goto=<agenturl>/mywebapp/you_are_logged_out.html. For AM 7 or later, or the Identity Cloud to be able to use gotos after AM logouts, configure the Validation Service.
- Logout URL Properties:
- Agent Logout URL Properties:
As an example for local configurations, add the properties to the
com.forgerock.agents.config.logout.redirect.disable=false com.sun.identity.agents.config.logout.url=<am url>/UI/Logout com.sun.identity.agents.config.logout.redirect.url=<agenturl>/you_are_logged_out.html
Read Logout Redirection for more details.
The following table tracks changes to the security advisory:
|June 1, 2021||Minor editorial changes|
|May 27, 2021||Initial release|