AM Agents Security Advisory #202103

27 May, 2021

Security vulnerabilities have been discovered in AM Web Agent and Java Agent components.

The Java Agent has two vulnerabilities and the Web Agent has one vulnerability.

This advisory provides guidance on how to ensure your deployments can be properly secured. The recommendation is to update AM Agents to version 5.8.2. Workarounds are available for all the issues.

The maximum severity of issues in this advisory is Medium. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade if the fix is in a later release. If an upgrade is not possible, the recommendation is to apply a workaround described in the advisory.

Release versions implementing the fixes are available from Backstage.

See Java Agent and Web Agent documentation for upgrade instructions.

Issue #202103-01

Description:

Post Data Preservation could be used as part of a reflected Cross Site Scripting (XSS) attack.

Workaround:

Turn off Post Data Preservation. This is done by setting Post Data Preservation Enabled to false in the AM Console for centralized mode and agent.conf for local mode.

Resolution:

Update/upgrade to a fixed version or apply the workaround.

Issue #202103-02

Description:

When restricted tokens are enabled in AM or the Identity Cloud, and Web or Java Agent logout is configured without redirection to AM, then the token is still valid in AM. An attacker on the physical machine could use the restricted token to access that specific application when the user believed the session had ended.

Component Configuration Specifics:

• The Java Agent doesn't log out restricted tokens correctly when a Logout request parameter or Application Logout URI is set in the agent.
• The Web Agent doesn't log out restricted tokens correctly when a logout URL is accessed. This can be configured by using either Logout URL List or Agent Logout URL Regular Expression if the Invalidate Logout Session property is set to true and Logout redirect disable is set to true. 

Workaround:

Java Agent: 

• Agent 5.5.2-5.8.1

Set a Logout Entry URI to go to an AM Logout URL, for example, org.forgerock.agents.logout.goto.map=<am url>/UI/Logout. Optionally, a goto url could also be used, for example, org.forgerock.agents.logout.goto.map=<am url>/UI/Logout?goto=<agenturl>/mywebapp/you_are_logged_out.html. For AM 7 or later, or the Identity Cloud to be able to use gotos after AM logouts, configure the Validation Service.  

• Agent 5.0.0-5.5.1.0

Logout Entry URI uses a different property name, so use  com.sun.identity.agents.config.logout.entry.uri=<am url>/UI/Logout or com.sun.identity.agents.config.logout.entry.uri=<am url>/UI/Logout?goto=<agenturl>/mywebapp/you_are_logged_out.html. For AM 7 or later, or the Identity Cloud to be able to use gotos after AM logouts, configure the Validation Service. 

Web Agent:

Set Disabled Logout redirection to false and configure a valid AM Logout URL and logout redirect URL.

• Logout URL Properties:
  • Set Logout Properties Disabled Logout redirection to false
  • Set AM Logout URL to a valid AM logout page, for example, <am url>/UI/Logout
• Agent Logout URL Properties:
  • Set Logout Redirect URL to a valid goto address, for example, <agenturl>/you_are_logged_out.html. If using AM 7 or later, or the Identity Cloud, then configure the Validation Service.

As an example for local configurations, add the properties to the agent.conf file:

com.forgerock.agents.config.logout.redirect.disable=false com.sun.identity.agents.config.logout.url[0]=<am url>/UI/Logout com.sun.identity.agents.config.logout.redirect.url=<agenturl>/you_are_logged_out.html

Read Logout Redirection for more details. 

Change Log

The following table tracks changes to the security advisory: