Security Advisory
ForgeRock Identity Platform
Does not apply to Identity Cloud

AM Java Agents Security Advisory #201903

Last updated Aug 18, 2022

A Security vulnerability has been discovered in a library used by the AM Java Agent component. This issue is present in the Java Agent 5.x release.

August 2, 2019

A Security vulnerability has been discovered in a library used by AM Java Agents 5.x.

This advisory provides guidance on how to ensure your deployments can be secured. A fix for the vulnerability is available in the latest release. 

The highest rating for this component is Medium. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade to AM Java Agent

Customers can obtain the AM Java Agents fixed version from Backstage.

Issue #201903-01:Polymorphic typing issue could lead to local file access

Product AM Java Agent
Affected versions 5, 5.0.x, 5.1.x, 5.5.x, 5.6.0,
Fixed versions
Component Java Agent
Severity Medium


The security vulnerabilities in the jackson-databind 2.x library, as outlined in CVE-2019-12814 and CVE-2019-12384, may be flagged during a dependency check of the Java Agent. If this happens, they should be regarded as False Positives. These security vulnerabilities in the jackson-databind 2.x library allow a remote user in specific circumstances to access arbitrary local files and execute remote code. However this does not affect the Java Agent because default typing and logback are not used, thus mitigating the attack.




The Jackson-Databind library dependency has been updated to version Update/upgrade to a fixed version, which includes this updated library.


Change Log

The following table tracks changes to the security advisory:

Date  Description
August 18, 2022 No changes to content - just corrected Backstage link
February 24, 2021 Added ForgeRock Identity Platform taxon to improve categorization
August 16, 2019 Corrected categories associated with article from AM to Agents.
August 2, 2019 Initial release

Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.