Security Advisories

This book provides security advisories for ForgeRock products (AM, DS, IDM and IG).


Maintenance and Patch availability policy

The purpose of this article is to set out the details of the ForgeRock policy on making patches available to customers and the structure and contents of maintenance releases.

Definitions

  • Critical Issue: A critical issue is one where the impact on a customer deployment could potentially be severe.
  • Non-Critical Issue: A non-critical issue is one where the severity of the impact of the issue would be such that it could delay or inconvenience customers without putting their systems at risk of disruption.
  • Security Issue: An issue that applies to ForgeRock's Security Policy. Security issues have four levels; critical, high, medium and low and said levels are defined in the Security Policy.
  • Initial Major Release: An initial major release is the Enterprise release that marks the start of the EOSL timeline for a major release. Refer to the ForgeRock End of Service Life (EOSL) policy for further details.
  • Minor Release: A limited feature release that include maintenance fixes. Refer to the ForgeRock End of Service Life (EOSL) policy for further details.
  • Maintenance Release: A maintenance release is a collection of fixes and minor RFEs that have been grouped together and released to ForgeRock customers as part of ForgeRock's commitment to support our customers. Maintenance releases are released under the terms of the ForgeRock End of Service Life (EOSL) policy.
  • Patch Release: A patch release is a small collection of fixes for customer reported issues. A patch release is non-breaking in terms of API compatibility and does not contain any RFEs. Refer to the ForgeRock End of Service Life (EOSL) policy for further details.
  • End of Service Life (ForgeRock End of Service Life (EOSL) policy): The ForgeRock End of Service Life Policy describes the different types of releases and the duration of support available.
  • Maintenance release regression: A maintenance release regression represents a new issue that was introduced by a fix included in a maintenance release.
  • Patch: A patch represents a fix to a specific issue or set of issues that is provided to a ForgeRock customer separately from a maintenance release or a patch release.
  • Back-port: A back-port is where an issue that has been fixed in a newer version of the product is made available in an older version of the product.
  • Request for Enhancement (RFE): An RFE represents a request from a customer to enhance an existing feature or function of the product, or potentially a whole new feature or function.

Maintenance Release Contents

ForgeRock's maintenance release policy is aligned to the ForgeRock End of Service Life (EOSL) policy and provides maintenance releases for three years after the initial major release. This section describes ForgeRock's policy on providing maintenance releases for each of those three years. ForgeRock reserves the right to amend this policy at any time and without notice. The contents of maintenance releases are decided entirely at ForgeRock's discretion.

  First Year Second Year Third Year
Targeted Content 
  • Fixes for critical and security issues
  • Maintenance release regressions
  • Customer reported issues
  • Fixes for non-critical issues back-ported based on their expected customer impact
  • Fixes for critical and security issues
  • Maintenance release regressions
  • Fixes for customer reported issues on this version for which a patch has been issued
  • Fixes for critical and security issues
  • Maintenance release regressions
  • Fixes for customer reported issues on this version for which a patch has been issued
Optional Content  Small RFEs / customer requests.  Customer reported issues from other versions that should be back-ported due to likely wider customer impact N/A

In all the above cases, ForgeRock reserves the right of refusal over back-ports on a given version if said bugs are caused by architectural issues that may or may not be resolved in later versions of the product. The only RFEs included within a maintenance release are small RFEs that do not change or impact existing functionality.

Patching Policy

The patching policy depends on the product as follows:

  • Access Management: patch releases
  • Agents: patch releases
  • Directory Services: individual patches
  • Identity Management: patch releases
  • Identity Gateway: individual patches
Note

Where possible, customers should upgrade to the latest patch release.

ForgeRock's policy on delivering patch releases/patches for a specific version of the product depends on the nature of the issue, its criticality and the age of the release; this is described in the table below:

  First Year Second Year Third Year
Critical and Security Issues Patch Releases/Patches will be provided for all affected maintenance releases and the current major/minor releases. Patch Releases/Patches will be provided for the latest maintenance release and the previous maintenance release (including the major/minor release if applicable). Patch Releases/Patches will be provided for the latest maintenance release.
Non-Critical Issues Patch Releases/Patches will be provided for all affected maintenance releases and the current major/minor releases. Patch Releases/Patches will be provided for the latest maintenance release and, if less than 6 months since the latest maintenance release, for the previous version.  Patch Releases/Patches will be provided purely at ForgeRock’s discretion.

As described in the ForgeRock End of Service Life (EOSL) policy, in the fourth and final year of service life, patch releases/patches will only be made available for critical issues and security issues at the critical or high severity level, and will only be applied to the latest maintenance release.

Individual patches

Patches are fixes that may be supplied to individual customers to address specific issues. If these fixes are provided in the latest patch or maintenance release, we will advise customers to move to this release in the first instance, only providing individual patch builds in exceptional circumstances. ForgeRock aims to make these fixes available to other customers by including them in the next patch or maintenance release. Fixes for critical issues, where feasible, will be provided as long as the corresponding version hasn’t reached its final EOSL date. If this is not feasible, ForgeRock will provide a solution for the latest maintenance version of any affected releases that have not yet reached EOSL. Patches for non-critical issues will be provided at ForgeRock’s discretion. 

See Also

ForgeRock End of Service Life (EOSL) policy

Checking your product versions are supported

ForgeRock Products Support and Patch Policies


Access Management


AM Security Advisory #202110

Security vulnerabilities have been discovered in supported versions of Access Management (AM). These vulnerabilities affect versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.x and 7.1.0, and could be present in older unsupported versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory.

Identity Cloud customers

This security advisory does not apply to the ForgeRock Identity Cloud. This security advisory only applies to software deployments of the ForgeRock Identity Platform. 

December 7, 2021

Security vulnerabilities have been discovered in supported versions of AM. These vulnerabilities affect versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.x and 7.1.0 and could be present in older unsupported versions.

The maximum severity of issues in this advisory is Critical.

Note

The advice is to upgrade or apply a patch to mitigate these issues. In some cases, a workaround is given, which may be suitable, but an upgrade to the latest version is the recommended approach.

Details about these vulnerabilities are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.

In accordance with ForgeRock’s Maintenance and Patch availability policy, patches are available from BackStage for the following versions:

* ForgeRock are providing a patch for AM 5.5.2 even though this is outside the scope of the Maintenance and Patch availability policy; please note that this action does not constitute a change to said policy.

See How do I install an AM patch (All versions) supplied by ForgeRock support? for further information on deploying the patch. If you have existing patches, please raise a ticket to obtain an updated patch.

Issue #202110-01: Broken Access Control

Affected versions  AM 5.5.2, 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.x and 7.1.0
Fixed versions AM 6.5.4, AM 7.1.1
Component Core Server
Severity Critical

Description:

It may be possible to bypass some authentication controls and gain access to other users' session tokens.

Workaround:

Block or restrict access to the PLL servlet endpoints:

  • /authservice
  • /sessionservice
  • /profileservice
  • /policyservice
  • /namingservice
  • /loggingservice

These are legacy endpoints, that are potentially used by ssoadm, Agents prior to version 5 and the OpenAM Java SDK (removed in AM 5.5.0). Additionally, in pre-AM 6 versions, these endpoints may be used for AM crosstalk. If you know these components are being used, then restrict the endpoint access to a trusted network, otherwise they can be blocked completely. More information on how to block these endpoints is found in the following KB article: Best practice for blocking the top level realm in a proxy for AM (All versions)

Resolution:

Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.1 is provided in the AM 7.1.1 patch release.

Issue #202110-02: Cross Site Scripting (XSS)

Affected versions AM 5.5.2, 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.x and 7.1.0
Fixed versions AM 6.5.4, AM 7.1.1
Component Core Server
Severity High

Description:

AM is vulnerable to cross-site scripting (XSS) attacks via the oauth2/authorize endpoint, which could lead to session hijacking or phishing.

Workaround:

The oauth2/authorize endpoint is used in some OAuth2/OIDC flows and by AM Agents 5 and above. You can protect the oauth2/authorize endpoint with the container (for example, using the mod_security Apache module) or filter external requests if the endpoint is not used, or until a patch is deployed.

Resolution:

Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.1 is provided in the AM 7.1.1 patch release.

The security advisory patch contains both a binary fix (which fixes known instances of the 202110-02 XSS issue) and a XUI fix (which includes additional hardening to help prevent any further XSS issues on this endpoint within the XUI).

If you have customized the XUI, you should apply the binary fix in the first instance (by removing the XUI directory from the patch before deploying it) and then you can apply the XUI fix to your XUI customizations by following the instructions in the README included in the advisory.

Acknowledgements

Maxime Escourbiac (https://cert.michelin.com/)

Maxence Schmitt (https://cert.michelin.com/)

Change Log

The following table tracks changes to the security advisory:

Date  Description
December 8, 2021 Added clarification to Issue #202110-02 about XUI customizations
December 7, 2021 Initial release

AM Security Advisory #202106

Security vulnerabilities have been discovered in supported versions of Access Management (AM). These vulnerabilities affect versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.0 and 7.0.1, and could be present in older unsupported versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory.

Identity Cloud customers

This security advisory only applies to software deployments of the ForgeRock Identity Platform. All relevant patches from this advisory have already been applied to the ForgeRock Identity Cloud.

August 5, 2021

Security vulnerabilities have been discovered in supported versions of AM. These vulnerabilities affect versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.0 and 7.0.1, and could be present in older unsupported versions.

The maximum severity of issues in this advisory is Critical.

Note

The advice is to upgrade or apply a patch to mitigate these issues. In some cases, a workaround is given, which may be suitable, but an upgrade to the latest version is the recommended approach.

Details about these vulnerabilities are deliberately kept to a minimum to protect your deployments and prevent someone from trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.

In accordance with ForgeRock’s Maintenance and Patch availability policy, patches are available from BackStage for the following versions:

* ForgeRock are providing patches for #202106-01 and #202106-03 on AM 5.5.2 even though this is outside the scope of the Maintenance and Patch availability policy; please note that this action does not constitute a change to said policy.

See How do I install an AM patch (All versions) supplied by ForgeRock support? and the embedded README for further information on deploying the patch. If you have existing patches, please raise a ticket to obtain an updated patch.

Issue #202106-01: XML injection vulnerability (CVE-2021-37154)

Affected versions AM 5.5.2, 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.0 and 7.0.1
Fixed versions AM 6.5.4, AM 7.0.2, AM 7.1.0
Component Core Server
Severity Critical 

Description:

A well-crafted XML document can be used to inject additional XML to create fraudulent SAML 2.0 assertions.

Workaround:

None.

Resolution:

Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.0.0 and 7.0.1 is provided in the AM 7.0.2 patch release.

Issue #202106-02: Broken Authentication (CVE-2021-37153)

Affected versions AM 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.0 and 7.0.1
Fixed versions AM 6.5.4, AM 7.0.2, AM 7.1.0
Component Core Server
Severity High 

Description:

It may be possible to bypass authentication checks on some trees where Active Directory® is the Identity Store.

Workaround:

You can use one of the following workarounds to mitigate this issue:

  • Do not use a Zero Page Login Collector node when Active Directory is the Identity Store.
  • Disable unauthenticated binds in Active Directory (this option is available in Microsoft® Windows® Server 2019 and later).

Resolution:

Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.0.0 and 7.0.1 is provided in the AM 7.0.2 patch release.

Issue #202106-03: Account Enumeration

Affected versions AM 5.5.2, 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.0 and 7.0.1
Fixed versions AM 6.5.4, AM 7.0.2, AM 7.1.0
Component Core Server
Severity Medium 

Description:

It may be possible to perform user enumeration on a vulnerable endpoint.

Workaround:

Block access to the /.well-known/webfinger endpoint at the reverse proxy or load balancer. This needs to be done for each realm, even if OpenID Connect is not enabled in that realm.

Resolution:

Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.0.0 and 7.0.1 is provided in the AM 7.0.2 patch release.

Change Log

The following table tracks changes to the security advisory:

Date  Description
October 19, 2021 Added AM 6.5.4 as a fixed version
August 10, 2021  Clarified that issue 202106-01 applies to SAML 2.0  
August 5, 2021 Initial release

AM Security Advisory #202104

A security vulnerability has been discovered in supported versions of Access Management (AM). This vulnerability affects versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3; it also affects older unsupported versions: AM 5.x; OpenAM 9.x, 10.x, 11.x, 12.x and 13.x. You should secure your deployments at the earliest opportunity as outlined in this security advisory. NOTE: This does not affect AM 7 and above.

Identity Cloud customers 

This security advisory does not apply to the ForgeRock Identity Cloud. This security advisory only applies to software deployments of the ForgeRock Identity Platform. 

June 29, 2021

A security vulnerability has been discovered in supported versions of AM. This vulnerability affects versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3; it also affects older unsupported versions: AM 5.x; OpenAM 9.x, 10.x, 11.x, 12.x and 13.x.

The maximum severity of the issue in this advisory is Critical.

This Security Advisory provides details on a workaround that you should apply immediately to secure your deployment. These workarounds are suitable for all versions, including older unsupported ones.

Additionally, consult this document Technical Impact Assessment CVE-2021-35464 which provides more detailed information on the issue and how to determine if you have been impacted.

Details of a patch are also included, but we recommend you apply a workaround immediately as a first step.

Issue #202104-01 Remote Code Execution (CVE-2021-35464)

Affected versions

AM 5.x, 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3

OpenAM 9.x, 10.x, 11.x, 12.x and 13.x

Fixed versions AM 6.5.4, AM 7
Component Core Server
Severity Critical 

Description:

Using a well-constructed request, an attacker may be able to perform remote code execution by sending a specially crafted request to an exposed remote endpoint.

Workarounds:

You can secure your deployments using one of the following two options:

  • WORKAROUND OPTION 1: Disable the VersionServlet mapping by commenting out the following section in the AM web.xml file (for example, this file is located in the /path/to/tomcat/webapps/openam/WEB-INF directory for Apache Tomcat™):<servlet-mapping>      <servlet-name>VersionServlet</servlet-name>             <url-pattern>/ccversion/*</url-pattern>      </servlet-mapping>

To comment out the above section, apply the following changes to the web.xml file:<!--   <servlet-mapping>              <servlet-name>VersionServlet</servlet-name>             <url-pattern>/ccversion/*</url-pattern>      </servlet-mapping> -->For Tomcat, you can just restart the web application container to apply these changes; for JBoss®, you must repack the AM war file with the updated web.xml file and redploy.

  • WORKAROUND OPTION 2: Block access to the ccversion endpoint using a reverse proxy or other method. On Tomcat, ensure that access rules cannot be bypassed using known path traversal issues: Tomcat path traversal via reverse proxy mapping.

Resolution:

A single patch is available from BackStage, which can be deployed on the following versions:

  • AM 6.5.3
  • AM 6.5.2.x
  • AM 6.5.1
  • AM 6.5.0.x
  • AM 6.0.0.x

The AM 6.5.3 patch works for all AM 6.x versions.

See How do I install an AM patch (All versions) supplied by ForgeRock support? for further information on deploying the patch. Please note this patch will overwrite console classes already in the WEB-INF/classes directory and this is to be expected. However, if you are still unsure whether you can successfully apply the patch to your environment, please raise a ticket with ForgeRock Support.

Change Log

The following table tracks changes to the security advisory:

Date  Description
October 19, 2021 Added AM 6.5.4 as a fixed version
July 14, 2021 Added instructions for JBoss
July 13, 2021 Noted that this patch will overwrite console classes and listed out all affected versions
July 12, 2021 Clarified that the workarounds work for older unsupported versions
July 9, 2021 Added links to patches and added recommendation to immediately apply workarounds
July 8, 2021 Added Technical Impact Assessment document 
July 5, 2021 Clarified that Tomcat needs to be restarted
June 29, 2021 Initial release

AM Security Advisory #202101

Security vulnerabilities have been discovered in AM components. These issues may be present in AM 7.0, 6.5.0-6.5.2.3, 6.0.0-6.0.0.7, 5.0.0-5.5.2 and earlier versions.

Note

This security advisory only applies to software deployments of the ForgeRock Identity Platform. All relevant patches from this advisory have already been applied to the ForgeRock Identity Cloud.

February 1, 2021  

Security vulnerabilities have been discovered in AM components. These issues may be present in AM 7.0, 6.5.0-6.5.2.3, 6.0.0-6.0.0.7, 5.0.0-5.5.2 and earlier versions. 

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds, patches or Patch Releases are available for all the issues.

The maximum severity of issues in this advisory is Critical. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

If an upgrade is not possible, the recommendation is to deploy the relevant patches or if the fix is in a patch release, upgrade to that patch release.

Per ForgeRock's Maintenance and Patch availability policy, we have provided patches for the latest maintenance release and the previous maintenance release for the 6.5.x versions. We have also extended this to the 5.5.x versions. You can obtain patch bundles for the following versions from BackStage:

  • 6.5.2.3
  • 6.5.1
  • 5.5.2
  • 5.5.1

For all other versions, it is strongly recommended you upgrade to the latest maintenance version.

Issue #202101-01: Remote code execution

Product AM
Affected versions 5.0.0-5.5.1, 6.0.0-6.0.0.7, 6.5.0-6.5.1
Fixed versions 5.5.2, 6.5.2, 7.0.0
Component Core Server
Severity Critical

Description:

Using a well-constructed request an attacker may be able to perform remote code execution by sending a specially crafted request to an exposed remote endpoint.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch.

Issue #202101-02: Remote Code Execution

Product AM
Affected versions  5.0.0-5.5.2, 6.0.0-6.0.0.7, 6.5.0-6.5.2
Fixed versions 6.5.2.1, 6.5.3, 7.0.0 
Component Core Server
Severity High

Description:

It may be possible to use unsafe reflection to perform remote code execution.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch.

Issue #202101-03: Broken Authentication

Product AM
Affected versions 5.0.0-5.5.2, 6.0.0-6.0.0.7, 6.5.0-6.5.2
Fixed versions 6.5.2.1, 6.5.3, 7.0.0
Component Core Server
Severity High

Description:

It may be possible to bypass authentication checks on some OAuth2 Clients.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch.

Issue #202101-04: Cross-Site Request Forgery (CSRF)

Product AM
Affected versions 5.0.0-5.5.1, 6.0.0-6.0.0.7, 6.5.0-6.5.2.3
Fixed versions 5.5.2, 6.5.3, 7.0.0
Component Core Server
Severity High 

Description:

AM is vulnerable to cross-site scripting (CSRF) attacks which could cause the end user to execute unwanted actions on a web application in which they're currently authenticated.

Workaround:

Set Default Resource Version to "None", or in AM 6 onwards, ensure the CsrfFilter is enabled.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch.

Issue #202101-05: Information Exposure

Product AM
Affected versions 5.0.0-5.5.1, 6.0.0-6.0.0.7, 6.5.0-6.5.2.3
Fixed versions 5.5.2, 6.5.3, 7.0.0
Component Core Server
Severity Medium

Description:

AM contains debugging code or error messages that can expose sensitive information or too much detail either in the logs or in error response calls.

Workaround:

Do not enable message level debug for log issues and sanitize error responses.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #202101-06: Cross Site Scripting

Product AM
Affected versions 5.0.0-5.5.1, 6.0.0-6.0.0.7, 6.5.0-6.5.2.3
Fixed versions 5.5.2, 6.5.3, 7.0.0
Component Core Server
Severity Medium

Description:

AM is vulnerable to cross-site scripting (XSS) attacks which could lead to session hijacking or phishing.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #202101-07: Account Enumeration

Product AM
Affected versions 5.0.0-5.5.1, 6.0.0-6.0.0.7, 6.5.0-6.5.2.1
Fixed versions 5.5.2, 6.5.2.2, 6.5.3
Component Core Server
Severity Medium

Description:

It may be possible to perform user enumeration on a vulnerable endpoint.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #202101-08:Business Logic Vulnerability

Product AM
Affected versions 5.0.0-5.5.2, 6.0.0-6.0.0.7, 6.5.0-6.5.2.3
Fixed versions 6.5.3, 7.0.0
Component Core Server
Severity Medium

Description:

It may be possible to bypass re-authentication on a certain OpenID Connect flow. 

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #202101-09:Business Logic Vulnerability

Product AM
Affected versions 5.0.0-5.5.1, 6.0.0-6.0.0.7, 6.5.0-6.5.2.1
Fixed versions 5.5.2, 6.5.2.2, 6.5.3
Component Core Server
Severity Medium

Description:

Disabling the account does not prevent OAuth2 access or authorization codes to be issued and will still allow access to the introspect and token issue endpoints.

Workaround:

Remove the account instead of disabling it.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #202101-10: Information Exposure

Product AM
Affected versions 7.0.0
Fixed versions 7.0.1
Component Core Server
Severity Medium

Description:

In a certain flow, sensitive data is sent as a URL parameter and this could result in this being logged in proxies or server logs.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle. The fix for AM 7.0.0 is provided in patch release 7.0.1. 

Issue #202101-11: Cache Manipulation

Product AM
Affected versions 5.0.0-5.5.2, 6.0.0-6.0.0.7, 6.5.0-6.5.2.3
Fixed versions 6.5.3, 7.0.0
Component Core Server
Severity Medium

Description:

It may be possible to store arbitrary data in an AM cache. 

Workaround:

Disable the cache as follows:

  • Using ssoadm:./ssoadm update-server-cfg -s default -u amadmin -f pwd.txt -a com.iplanet.am.sdk.caching.enabled=false com.sun.identity.sm.cache.enabled=true
  • Using the console:
    1. Navigate to Deployment > Servers > Server Name > Advanced.
    2. Set the value of the com.iplanet.am.sdk.caching.enabled property to false to disable caching overall.
    3. Set the value of the com.sun.identity.sm.cache.enabled property to true to enable configuration data caching.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #202101-12: Missing Access Control

Product AM
Affected versions 5.0.0-5.5.2, 6.0.0-6.0.0.7, 6.5.0-6.5.2.3
Fixed versions 6.5.3, 7.0.0
Component Core Server
Severity Low

Description:

Through a well-crafted attack, it may be possible to force a downgrade attack in the processing of PKCE (OAuth2).

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Change Log

The following table tracks changes to the security advisory:

Date  Description
February 24, 2021 Added ForgeRock Identity Platform taxon to improve categorization
February 8, 2021

Reduced severity of Issues #202101-06 and #202101-07 to Medium (from High)

Removed a fixed version from issue 202101-02 as it was never released

February 4, 2021 Added text to clarify this does not apply to the ForgeRock Identity Cloud
February 1, 2021 Initial release

AM/OpenAM Security Advisory #201901

Security vulnerabilities have been discovered in AM/OpenAM components. These issues may be present in AM 6.5.0-6.5.0.1, 6.0.0-6.0.0.6, 5.0.0-5.5.1 and OpenAM 13.0.0-13.5.2, 12.0.x. The OpenAM Community Edition 11.0.3  may also affected.

June 4, 2019

Security vulnerabilities have been discovered in AM/OpenAM components. These issues may be present in AM 6.5.0-6.5.0.1, 6.0.0-6.0.0.6, 5.0.0-5.5.1 and OpenAM 13.0.0-13.5.2, 12.0.x. The OpenAM Community Edition 11.0.3 may also affected.

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds, patches or Patch Releases are available for all of the issues.

The maximum severity of issues in this advisory is Critical. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

If an upgrade is not possible, the recommendation is to deploy the relevant patches or if the fix is in a patch release, upgrade to that patch release.

Security Patch bundles are available for the following versions (in accordance with ForgeRock’s Maintenance and Patch availability policy):

  • OpenAM 13.5.2
  • AM 5.1.1
  • AM 5.5.1

Customers can obtain these patch bundles from BackStage.

Issue #201901-01: Vulnerable Component

Product AM
Affected versions 5.0.0-5.5.1, 6.0.0-6.0.0.6, 6.5.0
Fixed versions 6.0.0.7, 6.5.0.2, 6.5.1
Component Core Server
Severity Critical

Description:

Certain configurations of OAuth2 clients may be susceptible to client impersonation.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch release/patch bundle:

  • If you are on 6.5.0 or 6.5.0.1, the fix is provided in patch release 6.5.0.2 
  • If you are on 6.0.0.x version, the fix is provided in patch release 6.0.0.7

Issue #201901-02: Broken access control

Product AM
Affected versions 5.5.0-5.5.1, 6.0.0-6.0.0.6, 6.5.0-6.5.0.1
Fixed versions 6.0.0.7, 6.5.0.2, 6.5.1
Component Core Server
Severity Critical

Description:

It may be possible to create policies for unentitled resources.

Workaround:

Block requests to the 'users/xyz/policies' endpoint.

Note, checking the access.audit log would indicate user CREATE actions on the "component":"Policy".

Additionally, auditing policies to look for unsolicited entries is recommended.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch release/patch bundle:

  • If you are on 6.5.0 or 6.5.0.1, the fix is provided in patch release 6.5.0.2 
  • If you are on 6.0.0.x version, the fix is provided in patch release 6.0.0.7

Issue #201901-03: Cross Site Scripting

Product OpenAM, AM
Affected versions 13.0.0-13.5.2, 5.0.0-5.5.1
Fixed versions 6.0.0
Component Core Server
Severity Critical

Description:

AM is vulnerable to cross-site scripting (XSS) attacks which could lead to session hijacking or phishing:

  • /openam/Masthead.jsp. Patch for: 13.5.2, 5.1.1, 5.5.1 Fixed in 6.0.0 +
  • SAMLPOSTProfileServlet. Patch for: 13.5.2, 5.1.1, 5.5.1 Fixed in 6.0.0 +
  • oauth2/authorize. Patch for: 13.5.2, 5.1.1, 5.5.1 Fixed in 6.0.0 +

Workaround:

Protect the listed endpoints with the container (for example using the mod_security Apache module) or filter external requests until a patch is deployed. 

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201901-04: Security Misconfiguration

Product OpenAM, AM
Affected versions 13.0.0-13.5.1, 5.0.0-5.5.1
Fixed versions 13.5.2, 6.0.0
Component Core Server
Severity Medium

Description:

TLS hostname verification is disabled by default on some services.

Workaround:

Remove the standard CAs from the trust store and instead manually add individual certificates or intermediate CAs for the services you need to connect to.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201901-05: Broken Access Control: Federation

Product OpenAM, AM
Affected versions 13.0.0-13.5.1, 5.0.0-5.5.1
Fixed versions 13.5.2, 6.0.0
Component Core Server
Severity Medium

Description:

It may be possible to bypass authentication in certain SAML session upgrade scenarios.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201901-06:Open Redirect

Product AM
Affected versions 5.0.0-5.5.1
Fixed versions 6.0.0
Component Core Server
Severity Medium

Description:

The Agent based CDSSO may not correctly validate redirect URLs allowing an attacker to redirect an end-user to a site they control.

Workaround:

Ensure that Enable Cookie Hijacking Prevention is enabled i.e com.sun.identity.enableUniqueSSOTokenCookie is set to true.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201901-07: Business Logic Vulnerability

Product OpenAM, AM
Affected versions 13.0.0-13.5.1, 5.0.0-5.5.1
Fixed versions 13.5.2, 6.0.0
Component Core Server
Severity High

Description:

In some circumstances memory account lockout may fail to work. This does not affect persistent lockout.

Workaround:

Use persistent (physical) lockout.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue 201901-08: Open Redirect and Potential XSS

Product OpenAM, AM
Affected versions 13.5.0, 5.0.0-5.1.1
Fixed versions 13.5.2, 5.5.0
Component Core Server
Severity Medium

Description:

Error handling by the /oauth2/authorize endpoint may result in an unvalidated redirect URL and potential reflected XSS.

Workaround:

None

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Reference:

CVE-2017-14394, CVE-2017-14395  

Change Log

The following table tracks changes to the security advisory:

Date  Description
February 24, 2021 Added ForgeRock Identity Platform taxon to improve categorization
June 4, 2019 Initial release

AM/OpenAM Security Advisory #201801

Security vulnerabilities have been discovered in AM/OpenAM components. These issues may be present in AM 5.0, AM 5.1.x and OpenAM 12.0.x, 13.0.0 and 13.5.0. The OpenAM Community Edition 11.0.3 may also affected.

January 17, 2018

Security vulnerabilities have been discovered in AM/OpenAM components. These issues may be present in AM 5.0, AM 5.1.x  and OpenAM 12.0.x, 13.0.0 and 13.5.0. The OpenAM Community Edition 11.0.3 may also affected.

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available for all of the issues.

The maximum severity of issues in this advisory is Critical. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to deploy the relevant patches. Patch bundles are available for the following versions (in accordance with ForgeRock’s Maintenance and Patch availability policy):

  • 12.0.4
  • 13.5.0
  • AM 5.0.0
  • AM 5.1.0
  • AM 5.1.1

Customers can obtain these patch bundles from BackStage.

Issue #201801-01: Business Logic Vulnerability

Product OpenAM
Affected versions 12.0.0-12.0.4, 13.0.0, 13.5.0
Fixed versions 13.5.1
Component Core Server, Server Only
Severity Critical

Description:

A specific type of request will allow access to another resource owners access token.

Workaround:

Do not use the JWT bearer token grant type.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-02: Configuration password stored in plain text

Product OpenAM
Affected versions 12.0.0-12.0.4, 13.0.0, 13.5.0
Fixed versions 13.5.1
Component Core Server, Server Only
Severity High

Description:

Export of server settings display certain configuration passwords in clear text.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-03: Cross Site Scripting

Product AM, OpenAM
Affected versions AM 5.0.0, 5.1.0, 5.1.1 (see pages listed below); OpenAM 13.0.0, 13.5.0
Fixed versions AM 5.0.0, 5.5.1; OpenAM 13.5.1
Component Core Server, Server Only
Severity High

Description:

AM/OpenAM is vulnerable to cross-site scripting (XSS) attacks, which could lead to session hijacking or phishing.

Affecting AM/OpenAM configuration pages:

  • /task/ConfigureOAuth2 - Patch for AM 5.0.0, AM 5.1.0, OpenAM 13.5.0
  • json/global-config/servers?_action=create - Patch for AM 5.0.0, AM 5.1.0, OpenAM 13.5.0
  • realm-config/authentication/modules/ - Patch for OpenAM 13.5.0
  • Authorization-policysets - Patch for OpenAM 13.5.0
  • 400 error pages - affects IE only - Patch for AM 5.0.0, AM 5.1.0, AM 5.1.1, OpenAM 13.5.0

Workaround:

Protect the listed endpoints with the container (for example using the mod_security Apache module) or filter external requests until a patch is deployed.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-04: Open Redirect

Product OpenAM
Affected versions 12.0.0-12.0.4, 13.0.0, 13.5.0
Fixed versions AM 5.0.0, OpenAM 13.5.1
Component Core Server, Server Only
Severity Medium

Description:

The following XUI base URLs do not correctly validate certain redirect URLs allowing an attacker to redirect an end-user to a site they control:

  • XUI/#login
  • XUI/#logout

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-05: Business Logic Vulnerability

Product OpenAM
Affected versions 13.5.0
Fixed versions AM 5.0.0, OpenAM 13.5.1
Component Core Server, Server Only
Severity Medium

Description:

The tokeninfo endpoint does not correctly validate the token signature allowing a carefully crafted id token access to that endpoint.

Workaround:

Block access to the following URI endpoint:

  • /oauth2/tokeninfo

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-06: Business Logic Vulnerability

Product OpenAM
Affected versions 12.0.0-12.0.4, 13.0.0, 13.5.0
Fixed versions AM 5.0.0, OpenAM 13.5.1
Component Core Server, Server Only
Severity Medium

Description:

OIDC refresh token is accepted when account is disabled.

Workaround:

Remove a user's account within the directory instead of disabling it.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-07: Information Leakage

Product OpenAM
Affected versions OpenAM Community Edition 11.0.3, 12.0.0-12.0.4, 13.0.0, 13.5.0
Fixed versions AM 5.0.0, OpenAM 13.5.1
Component Core Server, Server Only
Severity Medium

Description:

It is possible to obtain information about which accounts exist on the system by sending carefully crafted requests to the following endpoints:

  • /json/authenticate

Workaround:

Block access to the following endpoints:

  • /json/authenticate

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-08: Business Logic Vulnerability

Product OpenAM
Affected versions 13.0.0, 13.5.0
Fixed versions AM 5.0.0, OpenAM 13.5.1
Component Core Server, Server Only
Severity Medium

Description:

Insufficient validation of OpenID connect endpoint Authentication Context Class Reference.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-09: Business Logic Vulnerability

Product OpenAM
Affected versions 13.0.0, 13.5.0
Fixed versions AM 5.0.0, OpenAM 13.5.1
Component Core Server, Server Only
Severity Medium

Description:

Insufficient entropy in Push/Oath recovery codes.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-10: LDAP Injection Vulnerability

Product OpenAM
Affected versions 13.0.0, 13.5.0
Fixed versions 13.5.1
Component Core Server, Server Only
Severity Medium

Description:

A well crafted request can cause LDAP injection on a particular endpoint.

Workaround:

Disable the following OpenID Connect specific endpoint:

  • oauth2/userinfo

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-11: Business Logic Vulnerability

Product OpenAM
Affected versions 13.0.0, 13.5.0
Fixed versions AM 5.0.0, OpenAM 13.5.1
Component Core Server, Server Only
Severity Low

Description:

Users without an email address may be susceptible to password reset using the user self-service endpoint.

Workaround:

Disable User Self Service: Password Reset

Ensure every user has an email registered.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-12: Content Spoofing Vulnerability

Product OpenAM
Affected versions 12.0.0-12.0.4, 13.0.0, 13.5.0
Fixed versions AM 5.0.0, OpenAM 13.5.1
Component Core Server, Server Only
Severity Medium

Description:

Using a carefully crafted authentication or malformed URI request an attacker can cause an alternative error message to be displayed.

Workaround:

Block access to the following endpoint:

  • /json/authenticate

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-13: Business Logic Vulnerability

Product AM
Affected versions 5.0.0, 5.1.0, 5.1.1
Fixed versions AM 5.5.1
Component Core Server, Server Only
Severity Medium

Description:

Stateless Session blacklisting may fail in certain configurations.

Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Issue #201801-14: Business Logic Vulnerability

Product AM
Affected versions 5.0.0, 5.1.0
Fixed versions AM 5.1.1
Component Core Server, Server Only
Severity High

Description:

In certain situations, ID tokens may be reused in an incorrect context, potentially allowing unauthorized access.

Workaround:

Disable "Save OPS Tokens" for the SSO Provider.

Remove the OpenIdConnectSSOProvider from org.forgerock.openam.sso.providers.list in advanced properties and restart the server(s). 

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch bundle.

Security Enhancement

Description:

Some REST APIs in AM expect SSOToken IDs as part of the URL. This may potentially be logged in various locations and misused by a malicious administrator.

This has been fixed in AM 5.5.0 which allows the REST APIs to get the token from headers and/or the POST body.

Workaround:

Restrict access to any system logs that may record  token IDs.

Resolution:

Update/upgrade to a fixed version.

Documentation Known Issues

The following OAuth1 JSP endpoints were removed in 13.5.0:

  • /oauth/deletetoken.jsp
  • /oauth/deleteconsumer.jsp
  • /oauth/registerconsumer.jsp
  • /oauth/userconsole.jsp

These endpoints still exist in OpenAM 13.0.0  but are not listed in the 13.0.0 endpoint documentation: Reference › Service Endpoints

Utilization of these files can be mitigated with the appropriate restrictions and authorization as per the documentation.

As these are likely to be unused and redundant they may be deleted to avoid any potential security issues.

Acknowledgements

Florian Hansemann (https://hansesecure.de/)

Johnny Nipper (https://www.linkedin.com/in/johnnynipper/)

Change Log

The following table tracks changes to the security advisory:

Date  Description
February 24, 2021 Added ForgeRock Identity Platform taxon to improve categorization
August 29, 2019 Updated link for Florian Hansemann in Acknowledgements section.
January 17, 2018 Initial release

Agents


Web Agents Security Advisory #202107

A security vulnerability has been discovered in supported versions of Web Agents. This vulnerability affects versions 5.7.0, 5.7.1, 5.7.2, 5.8.0, 5.8.1, 5.8.2, and 5.8.2.1. You should secure your deployments at the earliest opportunity as outlined in this security advisory.

Identity Cloud customers

If you have integrated Web Agents with Identity Cloud, you should secure your Web Agents as recommended in this security advisory.

September 20, 2021

A security vulnerability has been discovered in supported versions of Web Agents. This vulnerability affects versions 5.7.0, 5.7.1, 5.7.2, 5.8.0, 5.8.1, 5.8.2, and 5.8.2.1.

The maximum severity of issues in this advisory is High.

Note

The advice is to upgrade. In some cases, a workaround is given, which may be suitable, but an upgrade to the latest version is the recommended approach.

Details about this vulnerability are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.

See Upgrade Web Agent for upgrade instructions.

Issue #202107-01

Affected versions 5.7.0, 5.7.1, 5.7.2, 5.8.0, 5.8.1, 5.8.2, 5.8.2.1
Fixed versions 5.9.0 
Component Web Agent
Severity High 

Description:

An unauthenticated attacker can attack an agent endpoint with a cookie, causing a web server worker process to crash. The non-default option org.forgerock.openam.agents.config.multivalue.pre.authn.cookies needs to be 1 for this to be exploitable.

Workaround:

If org.forgerock.openam.agents.config.multivalue.pre.authn.cookies=1 then change it to org.forgerock.openam.agents.config.multivalue.pre.authn.cookies=0.

See SSO Properties for details.

Resolution:

Upgrade to a fixed version.

Change Log

The following table tracks changes to the security advisory:

Date  Description
September 21, 2021 Corrected doc link
September 20, 2021 Initial release

Web Agents Security Advisory #202105

Security vulnerabilities have been discovered in supported versions of Web Agents. These vulnerabilities affect versions 5.6.3, 5.7.0, 5.8.0, 5.8.1 and 5.8.2. You should secure your deployments at the earliest opportunity as outlined in this security advisory.

Identity Cloud customers

If you have integrated Identity Cloud with Web Agents, you should secure your Web Agents as recommended in this security advisory.

July 8, 2021

Security vulnerabilities have been discovered in supported versions of Web Agents. These vulnerabilities affect versions 5.6.3, 5.7.0, 5.8.0, 5.8.1 and 5.8.2.

The maximum severity of issues in this advisory is High.

Note

The advice is to upgrade. In some cases, a workaround is given which may be suitable, but an upgrade to the latest version is the recommended approach.

Details about these vulnerabilities are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.

See Upgrading Web Agents for upgrade instructions.

Issue #202105-01

Affected versions Web Agent 5.6.3, 5.7.0, 5.8.0, 5.8.1 and 5.8.2 
Fixed versions 5.8.2.1 
Component Web Agent
Severity High

Description:

An unauthenticated attacker can attack a non-default configured agent logout endpoint, causing a web server worker process to crash. Other non-default settings need to be set in order for this to be exploitable.

Workaround:

You can secure your Agents using one of the following two options:

  • Add a proxy rule to redirect traffic from the agent logout endpoint(s) to <AM URL>/UI/Logout.
  • Disable the agent logout by either removing the Agent Logout URL Regular Expression or Logout URL List of the agent logout URL. See AM Services Properties for further information.

Resolution:

Upgrade to a fixed version.

Change Log

The following table tracks changes to the security advisory:

Date  Description
August 23, 2021 Added link to upgrade instructions
August 3, 2021 Added 5.6.3 as an affected version and removed the “could be present in older unsupported versions” text because it does not affect earlier versions
July 8, 2021  Initial release

AM Agents Security Advisory #202103

Security vulnerabilities have been discovered in AM Web and Java® Agent components.

27 May, 2021

Security vulnerabilities have been discovered in AM Web Agent and Java Agent components.

The Java Agent has two vulnerabilities and the Web Agent has one vulnerability.

This advisory provides guidance on how to ensure your deployments can be properly secured. The recommendation is to update AM Agents to version 5.8.2. Workarounds are available for all the issues.

The maximum severity of issues in this advisory is Medium. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade if the fix is in a later release. If an upgrade is not possible, the recommendation is to apply a workaround described in the advisory.

Release versions implementing the fixes are available from BackStage.

See Java Agent and Web Agent documentation for upgrade instructions.

Note

Identity Cloud customers using Remote Connector Server (RCS) or Identity Gateway (IG) are not impacted.

Issue #202103-01

Product AM Agents
Affected versions All versions 5.5.1.0 onwards and prior to 5.8.2
Fixed versions 5.8.2
Component AM Java Agent
Severity Medium

Description:

Post Data Preservation could be used as part of a reflected Cross Site Scripting (XSS) attack.

Workaround:

Turn off Post Data Preservation. This is done by setting Post Data Preservation Enabled to false in the AM Console for centralized mode and agent.conf for local mode.

Resolution:

Update/upgrade to a fixed version or apply the workaround.

Issue #202103-02

Product AM Agents
Affected versions All versions of Agent 5 prior to 5.8.2
Fixed versions 5.8.2
Component AM Web Agent, AM Java Agent
Severity Medium

Description:

When restricted tokens are enabled in AM or the Identity Cloud, and Web or Java Agent logout is configured without redirection to AM, then the token is still valid in AM. An attacker on the physical machine could use the restricted token to access that specific application when the user believed the session had ended.

Component Configuration Specifics:

Workaround:

Java Agent: 

  • Agent 5.5.2-5.8.1

Set a Logout Entry URI to go to an AM Logout URL, for example, org.forgerock.agents.logout.goto.map=<am url>/UI/Logout. Optionally, a goto url could also be used, for example, org.forgerock.agents.logout.goto.map=<am url>/UI/Logout?goto=<agenturl>/mywebapp/you_are_logged_out.html. For AM 7 or later, or the Identity Cloud to be able to use gotos after AM logouts, configure the Validation Service.  

  • Agent 5.0.0-5.5.1.0

Logout Entry URI uses a different property name, so use  com.sun.identity.agents.config.logout.entry.uri=<am url>/UI/Logout or com.sun.identity.agents.config.logout.entry.uri=<am url>/UI/Logout?goto=<agenturl>/mywebapp/you_are_logged_out.html. For AM 7 or later, or the Identity Cloud to be able to use gotos after AM logouts, configure the Validation Service

Web Agent:

Set Disabled Logout redirection to false and configure a valid AM Logout URL and logout redirect URL.

As an example for local configurations, add the properties to the agent.conf file:

com.forgerock.agents.config.logout.redirect.disable=false com.sun.identity.agents.config.logout.url[0]=<am url>/UI/Logout com.sun.identity.agents.config.logout.redirect.url=<agenturl>/you_are_logged_out.html

Read Logout Redirection for more details. 

Change Log

The following table tracks changes to the security advisory:

Date  Description
June 1, 2021 Minor editorial changes
May 27, 2021 Initial release

AM Agents Security Advisory #201905

Security vulnerabilities have been discovered in the AM Web and Java Agents. These issues are present in Agents 5.x.

November 05, 2019

Security vulnerabilities have been found in the AM Web and Java Agents.

This advisory provides guidance on how to ensure your deployments can be secured. Fixes for the vulnerabilities are available in the latest releases. 

The highest rating for a Web Agent vulnerability is Critical and is exploitable; the highest rating for a Java Agent vulnerability is also Critical but is not exploitable. Deployers should take immediate steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade to AM Web Agent 5.6.2.0 and AM Java Agent 5.6.2.0.

Customers can obtain the AM Web and Java Agents fixed version from BackStage:

Issue #201905-01

Product AM Web Agent
Affected versions 5.0, 5.0.1.0, 5.0.1.1, 5.0.1.2, 5.1.0, 5.5.0, 5.5.1.0, 5.5.1.1
Fixed versions 5.6.2.0
Component Core Server
Severity Critical

Description:

AM Web Agent uses a field called "suid" which contains the session id. This can be spoofed in the id_token or copied from another user's token.

Workaround:

N/A

Resolution:

Upgrade to version 5.6.2.0.

Issue #201905-02

Product AM Java Agent
Affected versions 5.0, 5.0.1, 5.0.1.1, 5.0.1.2, 5.5.0, 5.5.1, 5.6.0, 5.6.1
Fixed versions 5.6.2.0
Component Core Server
Severity Critical

Description:

Addresses the following CVEs found in the Jackson-Databind library:

  • CVE-2019-16335 - A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource.
  • CVE-2019-14540 - A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

This is a critical defect, but deemed not exploitable because the Agent does not use Polymorphic typing. This has been updated in case the customer or container uses our version of jackson-databind.

Workaround:

Medium: On Jackson CVEs: Don’t Panic — Here is what you need to know says:

  1. Try to keep up with updated versions of Jackson (jackson-databind): it should always be safe to upgrade to the latest patch version of given minor version (safest in the sense they should be no breaking changes to functionality)
  2. If possible, AVOID enabling default typing (since it is usually class name based). It is better to be explicit about specifying where polymorphism is needed.
  3. AVOID using java.lang.Object (or, java.util.Serializable) as the nominal type of polymorphic values, regardless of whether you use per-type, per-property, or Default Typing
  4. If possible USE “type name” and NOT classname as type id: @JsonTypeInfo(use = Id.NAME) — this may require annotation of type name (see @JsonTypeName and @JsonSubTypes)

Especially consider the fact that if you can do either (3) or (4), you will prevent use of this class of exploits.

Resolution:

Upgrade to version 5.6.2.0, which includes Jackson-Databind version 2.10.

Issue #201905-03

Product AM Java Agent
Affected versions 5.0, 5.0.1, 5.0.1.1, 5.0.1.2, 5.5.0, 5.5.1, 5.6.0, 5.6.1
Fixed versions 5.6.2.0
Component Core Server
Severity Critical

Description:

Addresses the following CVEs found in the Jackson-Databind library:

  • CVE-2019-16942 - A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
  • CVE-2019-16943 - A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

This is a critical defect, but deemed not exploitable because the Agent does not use Polymorphic typing. This has been updated in case the customer or container uses our version of jackson-databind.

Workaround:

Medium: On Jackson CVEs: Don’t Panic — Here is what you need to know says:

  1. Try to keep up with updated versions of Jackson (jackson-databind): it should always be safe to upgrade to the latest patch version of given minor version (safest in the sense they should be no breaking changes to functionality)
  2. If possible, AVOID enabling default typing (since it is usually class name based). It is better to be explicit about specifying where polymorphism is needed.
  3. AVOID using java.lang.Object (or, java.util.Serializable) as the nominal type of polymorphic values, regardless of whether you use per-type, per-property, or Default Typing
  4. If possible USE “type name” and NOT classname as type id: @JsonTypeInfo(use = Id.NAME) — this may require annotation of type name (see @JsonTypeName and @JsonSubTypes)

Especially consider the fact that if you can do either (3) or (4), you will prevent use of this class of exploits.

Resolution:

Upgrade to version 5.6.2.0, which includes Jackson-Databind version 2.10.

Issue #201905-04

Product AM Web Agent
Affected versions 5.0, 5.0.1, 5.0.1.1, 5.0.1.2, 5.1.0, 5.5.0, 5.6.0, 5.6.1
Fixed versions 5.6.2.0
Component Core Server
Severity Medium

Description:

OAuth2 id token is vulnerable to a CSRF attack.

Workaround:

Use HTTPS transport.

Resolution:

Upgrade to version 5.6.2.0.

Issue #201905-05

Product AM Web Agent and Java Agent
Affected versions 5.0, 5.0.1, 5.0.1.1, 5.0.1.2, 5.1.0, 5.5.0, 5.6.0, 5.6.1
Fixed versions 5.6.2.0
Component Core Server
Severity Medium

Description:

Secure cookie property does not function, which results in it not being set when requested. It should be the default for https to prevent non-SSL manipulation of the cookie.

Workaround:

N/A

Resolution:

Upgrade to version 5.6.2.0.

Issue #201905-06

Product AM Web and Java Agent
Affected versions 5.0, 5.0.1, 5.0.1.1, 5.0.1.2, 5.1.0, 5.5.0, 5.6.0, 5.6.1
Fixed versions 5.6.2.0
Component Core Server
Severity Medium

Description:

Agent logout page should set no-cache header because if the logout page is taken from the cache, the logout will not happen. This could lead to a customer not being forced to revalidate credentials.

Workaround:

N/A

Resolution:

Upgrade to version 5.6.2.0.

Issue #201905-07

Product AM Web Agent
Affected versions 5.6.0, 5.6.1, 5.6.1.1
Fixed versions 5.6.2.0
Component Core Server
Severity Low

Description:

Large amounts of data in requests or responses can cause the agent to crash. This can happen in some configurations due to the extended request size or when there is a lot of data being requested from AM in terms of attributes.

Workaround:

Consider reverting to default request sizes. Minimize the use of longer fields in session/profile/response attributes.

Resolution:

Upgrade to version 5.6.2.0.

Change Log

The following table tracks changes to the security advisory:

Date  Description
February 24, 2021 Added ForgeRock Identity Platform taxon to improve categorization
5th November 2019 Initial release

AM/OpenAM Web Agents Security Advisory #201904

Security vulnerabilities have been discovered in AM/OpenAM Web agents.

September 4, 2019

2 security vulnerabilities have been discovered in AM/OpenAM Web agents. 

This advisory provides guidance on how to ensure your deployments can be secured. A fix for the vulnerabilities is available in the latest releases for Web Agents 4 and 5 respectively. 

The maximum severity of issues in this advisory is High. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade to Web Agents 5.6.1.1 or Web Agents 4.2.1.2.

Customers can obtain the Agents fixed versions from BackStage.

Issue #201904-01

Product OpenAM Web Agents
Affected versions 4.0.x, 4.1.x, 4.2.0, 4.2.1.0, 4.2.1.1
Fixed versions 4.2.1.2
Component Web Agent
Severity High

Description:

In libexpat in Expat before 2.2.7, XML input (including XML names that contain a large number of colons) could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).

https://www.cvedetails.com/cve/CVE-2018-20843/ 

Workaround:

N/A

Resolution:

Upgrade to Web Agent 4.2.1.2 (which includes an updated expat library version) or use Agents 5.x which is not affected because it does not use this library.

Issue #201904-02

Product AM/OpenAM Web Agents
Affected versions 4.1.x, 4.2.0, 4.2.1.0, 4.2.1.1, 5.0.x, 5.5.x
Fixed versions 4.2.1.2, 5.6.0.0
Component Nginx Web Agent 
Severity High

Description:

The Nginx Web Agent does not obey client body size max directive of chunk encoded data. Apache and IIS agents are not affected.

Workaround :

Agents 4.x only: Don't use Post Data Preservation.

Resolution:

Update/upgrade to a fixed version.

Change Log

The following table tracks changes to the security advisory:

Date  Description
February 24, 2021 Added ForgeRock Identity Platform taxon to improve categorization
September 4, 2019 Initial release

AM Java Agents Security Advisory #201903

A Security vulnerability has been discovered in a library used by the AM Java Agent component. This issue is present in the Java Agent 5.x release.

August 2, 2019

A Security vulnerability has been discovered in a library used by AM Java Agents 5.x.

This advisory provides guidance on how to ensure your deployments can be secured. A fix for the vulnerability is available in the latest release. 

The highest rating for this component is Medium. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade to AM Java Agent 5.6.1.1.

Customers can obtain the AM Java Agents fixed version from BackStage.

Issue #201903-01:Polymorphic typing issue could lead to local file access

Product AM Java Agent
Affected versions 5, 5.0.x, 5.1.x, 5.5.x, 5.6.0, 5.6.1.0
Fixed versions 5.6.1.1
Component Java Agent
Severity Medium

Description:

The security vulnerabilities in the jackson-databind 2.x library, as outlined in CVE-2019-12814 and CVE-2019-12384, may be flagged during a dependency check of the Java Agent. If this happens, they should be regarded as False Positives. These security vulnerabilities in the jackson-databind 2.x library allow a remote user in specific circumstances to access arbitrary local files and execute remote code. However this does not affect the Java Agent because default typing and logback are not used, thus mitigating the attack.

Workaround:

N/A

Resolution:

The Jackson-Databind library dependency has been updated to version 2.9.9.1 Update/upgrade to a fixed version, which includes this updated library.

References:

https://nvd.nist.gov/vuln/detail/CVE-2019-12814

https://nvd.nist.gov/vuln/detail/CVE-2019-12384

Change Log

The following table tracks changes to the security advisory:

Date  Description
February 24, 2021 Added ForgeRock Identity Platform taxon to improve categorization
August 16, 2019 Corrected categories associated with article from AM to Agents.
August 2, 2019 Initial release

AM Agents Security Advisory #201902

Security vulnerabilities have been discovered in AM Web and Java Agents. These issues are present in Agents 5.x.

July 04, 2019

Three Security vulnerabilities have been discovered in AM Web Agents and one issue has been found in AM Java Agents.

This advisory provides guidance on how to ensure your deployments can be secured. Fixes for the vulnerabilities are available in the latest releases. 

The highest rating for each component is High. Deployers should take immediate steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to upgrade to AM Web Agent 5.6.1.0 and AM Java Agent 5.6.1.0.

Customers can obtain the AM Web and Java Agents fixed version from BackStage:

Issue #201902-01: Access permitted to revoked sessions with misconfiguration

Product AM Web Agent
Affected versions 5, 5.0.x, 5.1.x, 5.5.x, 5.6.0
Fixed versions 5.6.1.0
Component Web Agent
Severity High

Description:

It is possible to start the agent when notifications are enabled, however, in the case where permissions are misconfigured they can be non-functional allowing revoked sessions to access protected resources.

Workaround:

Follow installation/documentation advice carefully regarding permissions to avoid misconfiguration of permissions.

Resolution:

The Web Agent Installer now has improvements around run-time and install-time permission checking. Update/Upgrade to a fixed version to receive them.

Issue #201902-02: Polymorphic typing issue could lead to local file access

Product AM Java Agent
Affected versions 5, 5.0.x, 5.1.x, 5.5.x, 5.6.0
Fixed versions 5.6.1.0
Component Java Agent
Severity High

Description:

A remote user in specific circumstances (outlined in CVE-2018-12086) can access local files. This does not affect the Java Agent because default typing is not used, thus mitigating the attack. However, this may be flagged during a dependency check; if this happens, it can be marked as a False Positive.

Workaround:

N/A

Resolution:

The Jackson-Databind library dependency has been updated to version 2.9.8. Update/upgrade to a fixed version, which includes this updated library.

Reference:

https://nvd.nist.gov/vuln/detail/CVE-2019-12086

Issue #201902-03: Heap inspection issues

Product AM Web Agent
Affected versions 5, 5.0.x ,5.1.x, 5.5.x, 5.6.0
Fixed versions 5.6.1.0
Component Web Agent
Severity Medium

Description:

Local attackers may be able to gain information by inspecting the heap memory in some circumstances.

Workaround:

Local security policies.

Resolution:

Update/upgrade to a fixed version.

Issue #201902-04: String operations could lead to agent crash

Product AM Web Agent
Affected versions 5, 5.0.x, 5.1.x, 5.5.x, 5.6.0
Fixed versions 5.6.1.0
Component Core Server
Severity Medium

Description:

Tightens validation of String operations, which were already using reasonable safeguards according to best practice.

Workaround:

N/A

Resolution:

Update/Upgrade to a fixed version.

Change Log

The following table tracks changes to the security advisory:

Date  Description
February 24, 2021 Added ForgeRock Identity Platform taxon to improve categorization
8th July 2019

Reworded description in Issue #201902-02 to clarify that the Java agent is not affected but it may be flagged in a dependency check. 

Minor cosmetic changes.

4th July 2019 Initial release

Web Agents Security Advisory #201802

A Security vulnerability has been discovered in the AM Web Agent component. This issue is present in the Web Agent 5.0 release. Earlier Web agents, and the community editions, are not affected.

January 18, 2018

A Security vulnerability has been discovered in the AM Web Agent component. This issue is present in the Web Agent 5.0 release. Earlier Web agents, and the community editions, are not affected.

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available for all of the issues.

The maximum severity of issues in this advisory is Medium. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to deploy the relevant revised agent build, version 5.0.0.1 (in accordance with ForgeRock’s Maintenance and Patch availability policy). This is an update to the main release:

  • Web Agent 5.0

Customers can obtain this patched agent from BackStage.

Issue #201802-01: Single Sign On Access Vulnerability

Product AM
Affected versions 5.0
Fixed versions 5.0.0.1
Component Web Agent
Severity Medium

Description:

When using ‘SSO Only’ mode, it is possible to still access protected resources following user logout.

Workaround:

Do not use SSO Only mode.

Resolution:

Update/upgrade to the fixed version of the Web Agent, 5.0.0.1 or later.

Change Log

The following table tracks changes to the security advisory:

Date  Description
February 24, 2021 Added ForgeRock Identity Platform taxon to improve categorization

Directory Services


DS Security Advisory #202108

Security vulnerabilities have been discovered in supported versions of Directory Services (DS). These vulnerabilities affect version 7.1.0 only and are not present in older versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory.

Identity Cloud customers

This security advisory does not apply to the ForgeRock Identity Cloud. This security advisory only applies to software deployments of the ForgeRock Identity Platform. 

December 7, 2021

Security vulnerabilities have been discovered in supported versions of DS. These vulnerabilities affect version 7.1.0 only and are not present in older versions. These vulnerabilities also affect embedded DS versions in AM and IDM. Refer to What versions of DS are compatible with AM? and/or What versions of DS are compatible with IDM? for corresponding AM/IDM versions.

The maximum severity of issues in this advisory is Medium (CVSS 6.5).

Note

The advice is to upgrade or apply a patch to mitigate these issues. In one case, a workaround is given, which may be suitable, but an upgrade to the latest version is the recommended approach.

Details about these vulnerabilities are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.

In accordance with ForgeRock’s Maintenance and Patch availability policy, patches are available from BackStage for the following version:

See How do I install a DS patch (All versions) supplied by ForgeRock support? for further information on deploying the patch. If you have existing patches, please raise a ticket to obtain an updated patch.

Issue #202108-01: Trailing non-LDAP data on LDAPS connections causes server thread spin

Affected versions DS 7.1.0, AM 7.1.0, IDM 7.1.0
Fixed versions DS 7.1.1, AM 7.1.1
Component Core Server
Severity Medium (CVSS 6.5)

Description:

Trailing non-LDAP bytes sent by a client to the administration connector (default port 4444) or an LDAPS connection handler (default port 636), would cause a server thread to spin even after the connection was closed by the client.

ForgeRock has not identified any LDAP clients that cause this server bug, which is only known to be caused by certain SCAP scanners.

Workaround:

None.

Resolution:

Upgrade to a fixed version or deploy the relevant patch.

Issue #202108-02: TLS renegotiation causes server thread spin

Affected versions DS 7.1.0, AM 7.1.0, IDM 7.1.0
Fixed versions DS 7.1.1, AM 7.1.1
Component Core Server
Severity Medium (CVSS 6.5)

Description:

TLS renegotiation attempts sent by a client to the administration connector (default port 4444) or an LDAPS connection handler (default port 636), would cause a server thread to spin even after the connection was closed by the client.

ForgeRock has not identified any LDAP clients that cause this server bug, which is only known to be caused by certain SCAP scanners.

Workaround:

Because the TLS negotiation feature was removed from TLS 1.3, a workaround is to only enable TLS 1.3 for the administration connector and any LDAPS connection handlers.

Resolution:

Upgrade to a fixed version or deploy the relevant patch.

Change Log

The following table tracks changes to the security advisory:

Date  Description
December 7, 2021 Initial release

DS/OpenDJ Security Advisory #202001

ForgeRock has discovered two Medium-level security vulnerabilities and one Low-level security vulnerability present in supported versions of ForgeRock Directory Services (DS) and OpenDJ. The vulnerabilities also affect embedded DS/OpenDJ in AM 5.x, AM 6.x and OpenAM 13.x as well as IDM 6.x.

May 18, 2020

ForgeRock has discovered two Medium-level security vulnerabilities and one Low-level security vulnerability present in supported versions of DS and OpenDJ. The vulnerabilities also affect embedded DS/OpenDJ in AM 5.x, AM 6.x and OpenAM 13.x as well as IDM 6.x (for more information, see What versions of DS are compatible with AM?). Unsupported and open sourced versions of OpenDJ may also be affected. See each issue below for details on the affected supported versions.

This advisory provides guidance on how to ensure your deployments are properly secured. Customers can download cumulative patches fixing this DS/OpenDJ advisory and all previous DS/OpenDJ security advisories for all supported versions of DS and OpenDJ from BackStage

See How do I install a DS patch (All versions) supplied by ForgeRock support? for further information on deploying the patch.

Note

Customers with existing DS/OpenDJ patches must raise a ticket with ForgeRock support to obtain an updated patch: https://backstage.forgerock.com/support/tickets. If you do not have any patches or you only have an older security patch installed, you can just download the patch from BackStage.

Issue #202001-01: Proxy authorization can access inappropriate data

Product ForgeRock Directory Services
Affected versions DS 5.5.0, DS 5.5.1, DS 5.5.2, DS 5.5.3, DS 6.0.0, DS 6.5.0, DS 6.5.1, DS 6.5.2, DS 6.5.3
Fixed versions DS 6.5.4, DS 7
Component Core Server,  Proxy Server
Severity Medium

Description:

Accounts with the additional proxied-auth privilege, which are also allowed to use the proxy authorization controls, may be abused to access inappropriate entries and attributes in the server.

Configuration Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch.

Issue #202001-02: Replication recovery can cause account state inconsistencies

Product ForgeRock Directory Services, OpenDJ
Affected versions DS 5.0.0, DS 5.5.0, DS 5.5.1, DS 5.5.2, DS 5.5.3, DS 6.0.0, DS 6.5.0, DS 6.5.1, DS 6.5.2, DS 6.5.3, OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3
Fixed versions DS 6.5.4, DS 7
Component Core Server
Severity Medium

Description:

The normal replication recovery process fails to correctly replay all changes, which could cause divergences in the security state of user accounts across the replication topology.

Configuration Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch.

Issue #202001-03: Extended operations disclose account state

Product ForgeRock Directory Services, OpenDJ
Affected versions DS 5.0.0, DS 5.5.0, DS 5.5.1, DS 5.5.2, DS 5.5.3, DS 6.0.0, DS 6.5.0, DS 6.5.1, DS 6.5.2, DS 6.5.3, OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3
Fixed versions DS 6.5.4, DS 7
Component Core Server
Severity Low

Description:

The LDAP “Who Am I” (RFC 4532) and “Password Modify” (RFC 3062) extended operations do not correctly determine if the user can use any attached controls, which could lead to disclosure of the user’s account state.

Configuration Workaround:

None.

Resolution:

Update/upgrade to a fixed version or deploy the relevant patch.

Change Log

The following table tracks changes to the security advisory:

Date  Description
February 24, 2021 Added ForgeRock Identity Platform taxon to improve categorization
September 16 2020 Added DS 6.5.4 as fixed versions for these issues.
September 1, 2020 Added DS 7 as fixed versions for these issues.
May 19, 2020 Added "If you do not have any patches or you only have an older security patch installed, you can just download the patch from BackStage." to note for clarity.
May 18, 2020 Initial release

DS/OpenDJ Security Advisory #201803

ForgeRock has discovered a Medium-level security vulnerability in ForgeRock Directory Services (DS) 5.0.0, 5.5.0, 5.5.1, 6.0.0 and in OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3. The vulnerability also affects embedded DS/OpenDJ in AM 5.x, AM 6.0 and OpenAM 13.x as well as IDM 6.0.

August 28, 2018

ForgeRock has discovered a Medium-level security vulnerability in DS 5.0.0, 5.5.0, 5.5.1, 6.0.0 and in OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3. The vulnerability also affects embedded DS/OpenDJ in AM 5.x, AM 6.0 and OpenAM 13.x as well as IDM 6.0 (for more information, see What versions of DS are compatible with AM?).

This advisory provides guidance on how to ensure your deployments can be secured. The recommendation is to deploy the relevant patch or upgrade to DS 5.5.2. See How do I install a DS patch (All versions) supplied by ForgeRock support? for further information on deploying the patch.

Customers can download a cumulative patch fixing this issue and all previous security advisories for DS 5.0.0, 5.5.0, 5.5.1, 6.0.0 and OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3 from BackStage.

Note

Customers with existing DS/OpenDJ patches must raise a ticket with ForgeRock support to obtain an updated patch: https://backstage.forgerock.com/support/tickets.

Issue #201803-01: Locked accounts are vulnerable to password guessing attacks

Product ForgeRock Directory Services, OpenDJ
Affected versions DS 5.0.0, 5.5.0, 5.5.1, 6.0.0, OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3
Fixed versions DS 5.5.2
Component Core Server
Severity Medium

Description:

The password policy response control is returned incorrectly when an account is locked and a bind operation for the account includes the correct password. As a result, it is possible to brute force a locked account’s password even after it has been locked due to too many authentication failures.

Workaround:

None.

Resolution:

Update/upgrade to DS 5.5.2 or deploy the relevant patch bundle.

Change Log

The following table tracks changes to the security advisory:

Date  Description
February 24, 2021 Added ForgeRock Identity Platform taxon to improve categorization
October 22, 2018  Added DS 5.5.2 as a fixed version
August 28, 2018 Initial release

DS/OpenDJ Security Advisory #201706

Security vulnerabilities have been discovered in ForgeRock Directory Services (DS) 5.0, 5.5 and in OpenDJ versions 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 3.0.0, 3.5.0, 3.5.1, 3.5.2. The OpenDJ Community Edition 2.6.4 is also affected.

November 9, 2017

Security vulnerabilities have been discovered in DS 5.0, 5.5 and in OpenDJ versions 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 3.0.0, 3.5.0, 3.5.1, 3.5.2. The OpenDJ Community Edition 2.6.4 is also affected.

These versions of DS/OpenDJ are embedded in AM 5.0, 5.5 and OpenAM 11.x, 12.x, 13.x, as well. Please see What versions of DS/OpenDJ are compatible with AM/OpenAM? for more information.

This advisory provides guidance on how to ensure your deployments can be secured. Patches are available for the issues, which are included in the DS 5.5 release and in the forthcoming OpenDJ 3.5.3 maintenance release.

The severity of the issues in this advisory is between Low and Medium. Deployers should take steps as outlined in this advisory and apply the relevant updates at the earliest opportunity.

The recommendation for customers is to deploy the relevant patch, upgrade to DS 5.5 or OpenDJ 3.5.3 (when available). See How do I install a DS patch (All versions) supplied by ForgeRock support? for further information on deploying the patch.

The cumulative patches fixing this and all previous OpenDJ security advisories are available to customers for DS 5.0 and OpenDJ 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 3.0.0, 3.5.0, 3.5.1, 3.5.2 from BackStage.

Note

Customers with existing DS/OpenDJ patches must raise a ticket with ForgeRock support to obtain an updated patch: https://backstage.forgerock.com/support/tickets.

Issue #201706-01: Disk paths may be revealed in operation error messages

Product DS, OpenDJ
Affected versions DS 5.0, OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2
Fixed versions DS 5.5, OpenDJ 3.5.3
Component Core Server
Severity Low

Description:

DS/OpenDJ’s built-in disk space monitor detects when the disk space is full, and blocks write operations. The error responses returned to LDAP or REST clients contain the path to the underlying backend. This information leakage may be useful to an attacker.

Workaround:

None.

Resolution:

Update/upgrade to DS 5.5 or to OpenDJ 3.5.3 when available, or deploy the relevant patch.

Issue #201706-02: SASL security layer may use excessive memory

Product DS, OpenDJ
Affected versions DS 5.0, 5.5, OpenDJ 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, Community Edition 2.6.4, 3.0.0, 3.5.0, 3.5.1, 3.5.2
Fixed versions OpenDJ 3.5.3
Component Core Server
Severity Medium

Description:

The DIGEST-MD5 and GSS-API SASL mechanisms allow for confidentiality and/or integrity protection in the SASL network layer. The SASL client and server negotiate a buffer size to use in this layer, and a malicious client could cause the server to use excessive memory. Confidentiality and integrity protection are not enabled for these mechanisms by default.

Workaround:

Disable the DIGEST-MD5 and GSS-API SASL mechanisms, or at least set their quality-of-protection properties to “none” to prevent security layer negotiation. For example:

$ ./dsconfig set-sasl-mechanism-handler-prop --handler-name DIGEST-MD5 --set quality-of-protection:none $ ./dsconfig set-sasl-mechanism-handler-prop --handler-name GSS-API --set quality-of-protection:none

TLS is a suitable alternative to the use of SASL security layers.

Resolution:

Update/upgrade to OpenDJ 3.5.3 when available or deploy the relevant patch.

Issue #201706-03: File-Based Audit Logger reveals plaintext passwords

Product DS
Affected versions DS 5.0
Fixed versions DS 5.5
Component Core Server
Severity Medium

Description:

The File-Based Audit Logger will log any plain text passwords received in add or modify operations. This logger is disabled by default.

Workaround:

Do not enable the File-Based Audit Logger. For example:

$ ./dsconfig set-log-publisher-prop --publisher-name File-Based\ Audit\ Logger --set enabled:false

Resolution:

Update/upgrade to DS 5.5, or deploy the relevant patch.

Issue #201706-04: REST interface error pages are vulnerable to XSS

Product DS, OpenDJ
Affected versions DS 5.0, OpenDJ 3.5.0, 3.5.1, 3.5.2
Fixed versions DS 5.5, OpenDJ 3.5.3
Component Core Server
Severity Medium

Description:

HTML error pages returned by the internal DS/OpenDJ REST interface are vulnerable to a reflected XSS attack.

Workaround:

Disable the REST interface. For example:

$ ./dsconfig set-connection-handler-prop --handler-name HTTP\ Connection\ Handler --set enabled:false $ ./dsconfig set-connection-handler-prop --handler-name HTTPS\ Connection\ Handler --set enabled:false

Resolution:

Update/upgrade to DS 5.5 or to OpenDJ 3.5.3 when available, or deploy the relevant patch.

Change Log

The following table tracks changes to the security advisory:

Date  Description
February 24, 2021 Added ForgeRock Identity Platform taxon to improve categorization

Identity Management


IDM Security Advisory #202002

A security vulnerability has been discovered in an IDM component. This issue is present in version 7.0.0 of ForgeRock Identity Management.

September 8, 2020

A security vulnerability has been discovered in an IDM component. The issue is present in IDM 7.0.0.

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available to resolve the issue.

The maximum severity of issues in this advisory is Critical. Deployers should take steps as outlined in this advisory and deploy the recommended workarounds or resolutions as described within each issue below.

Issue #202002-01: Authentication Error(s)

Product ForgeRock Identity Management
Affected versions IDM 7.0.0
Fixed versions IDM 7.0.1
Component IDM Remote Connector Server (RCS)
Severity Critical

Description:

Servlet authentication bypasses IDM's authentication filter.

Workaround:

Disable endpoint.

Resolution:

Upgrade to IDM 7.0.1.

Change Log

The following table tracks changes to the security advisory:

Date  Description
February 24, 2021 Added ForgeRock Identity Platform taxon to improve categorization
September 8, 2020 Initial release

IDM/OpenIDM Security Advisory #201705

Security vulnerabilities have been discovered in IDM/OpenIDM components. These issues may be present in IDM 5.0 and OpenIDM 2.1.x, 3.x, 4.x. The OpenIDM Community Edition 2.1.2 is also affected.

December 5, 2017

Security vulnerabilities have been discovered in IDM/OpenIDM components. These issues may be present in IDM 5.0 and OpenIDM 2.1.x, 3.x, 4.x. The OpenIDM Community Edition 2.1.2 is also affected.

This advisory provides guidance on how to ensure your deployments can be secured. Workarounds or patches are available for all of the issues.

The maximum severity of issues in this advisory is Critical. Deployers should take steps as outlined in this advisory and apply the relevant update(s) at the earliest opportunity.

The recommendation is to deploy the relevant patches. Patch bundles are available for the following versions (in accordance with ForgeRock’s Maintenance and Patch availability policy):

  • 3.0.0
  • 3.1.0
  • 4.0.0
  • 4.5.0
  • 4.5.1
  • 5.0.0

Customers can obtain these patch bundles from BackStage.

Issue #201705-01

Product IDM, OpenIDM
Affected versions IDM 5.0, OpenIDM 2.1.0, 2.1.1, 2.1.2, Community Edition 2.1.2, 3.0.0, 3.1.0, 4.0.0, 4.5.0, 4.5.1
Fixed versions IDM 5.5
Component Workflow
Severity Critical

Description:

Workflow task submission allows arbitrary content with no scoping protection.

Workaround:

Disable the Activiti Workflow service.

Resolution:

Deploy the relevant patch bundle.

See Also

How do I migrate my existing BPMN workflows after upgrading to IDM 5.5 or applying Security Advisory #201705?

Change Log

The following table tracks changes to the security advisory:

Date  Description
February 24, 2021 Added ForgeRock Identity Platform taxon to improve categorization

Identity Connector Framework


ICF Security Advisory #202102

ForgeRock has discovered two security vulnerabilities in the Identity Connector Framework (ICF).

April 20, 2021

ForgeRock has discovered two Medium-level security vulnerabilities present in supported versions of Identity Connector Framework (ICF), part of Remote Connector Server (RCS) implementation.

This advisory provides guidance on how to ensure your deployments are properly secured. The recommendation is to update ICF to version 1.5.20.0. The ICF is updated by upgrading the RCS.

Note

The vulnerabilities and upgrade only apply to the Java® version of RCS.

Customers can download the latest release of the Java RCS from BackStage

See How do I upgrade the Remote Connector Server (RCS) for Identity Cloud and IDM? for instructions on upgrading the RCS. 

Issue #20210201

Product ICF
Affected versions  All prior to 1.5.20.0
Fixed versions  1.5.20.0
Component LDAP Connector
Severity  Medium

Description:

A weak cipher was used to generate random values.

Workaround:

None.

Resolution:

Upgrade to ICF 1.5.20.

Issue #20210202

Product ICF
Affected versions  All prior to 1.5.20.0 
Fixed versions   1.5.20.0
Component Core Server
Severity  Medium

Description:

The XML handler allowed insecure documents.

Workaround:

None.

Resolution:

Upgrade to ICF 1.5.20.

Change Log

The following table tracks changes to the security advisory:

Date  Description
June 24, 2021 Added a Security taxon to improve categorization
April 20, 2021  Initial release

All Products


Log4j Security Advisory #202111

The purpose of this advisory is to provide information on whether ForgeRock products (Identity Cloud, AM, DS, IDM, IG, Agents and Autonomous Identity) are vulnerable to recent Log4j 2 vulnerabilities: RCE (Remote Code Execution) CVE-2021-44228, DoS (Denial of Service) CVE-2021-45046, DoS CVE-2021-45105 and ACE (Arbitrary Code Execution) CVE-2021-44832. These vulnerabilities allow an attacker to remotely execute code in certain circumstances.

December 10, 2021

A number of vulnerabilities have recently been discovered that impact multiple versions of the Apache Log4j 2 utility: 

Vulnerability Severity Rating CVSS Score Affected Versions Fixed Version Other Information
CVE-2021-44228 Critical 10 2.0 to 2.14.1 2.15.0 Disclosed publicly via the project’s GitHub on December 9, 2021
CVE-2021-45046 Critical 9 2.0 to 2.15.0 (excluding 2.12.2) 2.16.0  
CVE-2021-45105 High 7.5 2.0 to 2.16.0 2.17.0  
CVE-2021-44832 Medium 6.6 2.0 to 2.17.0 (excluding 2.3.2 and 2.12.4) 2.17.1  

Customers should check the CVEs for the latest vulnerable versions.

Note

New releases of Autonomous Identity that include Log4j 2.17 have been made available on December 22nd, 2021. 

The only ForgeRock product that utilizes Log4j is Autonomous Identity, which now has patched releases that remedy the three Critical and High vulnerabilities. None of the other currently supported ForgeRock products, including Identity Cloud, AM, DS, IDM, IG and Agents, are affected by these vulnerabilities. ForgeRock continues to actively investigate any other possible uses of this library but none are known at this time.

The SecurID authentication module uses the Log4j library (which is supplied by RSA but no longer supported). You should not use this module unless RSA provides a fixed version of this library. See RSA Customer Advisory: Apache Vulnerability | Log4j2 (CVE-2021-44228) for the latest information from RSA.

Customers are responsible for checking for any use of Log4j in their servlet/application container and any custom code (including Marketplace contributions) that they have deployed. 

ForgeRock products

All currently supported versions of the ForgeRock Identity Platform (AM, DS, IDM, IG & AM Agents) are not vulnerable to Log4j as ForgeRock does not ship with this library. Review Checking your product versions are supported for details of currently supported versions. 

Older, end of life, versions of the ForgeRock Identity Platform could be vulnerable. However, due to the age and lack of vendor support for libraries, they cannot be patched to ensure they are no longer vulnerable to the Log4j attacks.

Product Supported Versions Vulnerable Details
Autonomous Identity 2020.10, 2021.3, 2021.8 Yes

The newest releases address the following vulnerabilities: CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105

Release Notes:

Downloads:

Autonomous Identity does not use a JDBC appender for logging, which means it is not affected by CVE-2021-44832. 

AM 6.x, 7.x No N/A
DS 6.x, 7.x No N/A
IDM 6.x, 7.x No N/A
IG 6.x, 7.x No N/A
Agents 5.x No N/A

Recommendations

Autonomous Identity customers should update to the latest patch release (see release notes in the table above).

For standard installations of the ForgeRock Identity Platform (AM, DS, IDM, IG and Agents), you should check to see if your servlet/application containers have any vulnerabilities by contacting the vendor of the servlet being used. The servlet/application container you install for deploying AM needs to be checked to make sure it is not vulnerable. The default recommended container of Apache Tomcat is not vulnerable as it does not use Log4j. 

For custom installations of the ForgeRock Identity Platform that include components that utilize either log4j or log4j-api libraries, you should:

  • Contact the component vendor for additional information.
  • Check to see if your servlet/application containers have any vulnerabilities by contacting the vendor of the servlet being used.
  • Follow the advice from Apache by upgrading your Log4j version(s) to 2.17.1 or later, or by implementing one of their mitigations as outlined here: Apache Log4j Security Vulnerabilities.

For older ForgeRock products that are no longer supported, we strongly recommend you upgrade to a newer, supported version.

Log4j 1

The vulnerabilities in this advisory do not apply to Log4j 1 versions. Per Apache Log4j Security Vulnerabilities

Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.

However, a new CVE-2021-4104 vulnerability has been reported for Log4j 1.2, which is an issue if you have JMSAppender configured. You should monitor this CVE for updates.

See Also

CVE-2021-44228

CVE-2021-45046

CVE-2021-45105

CVE-2021-44832

Apache Log4j Security Vulnerabilities

Apache Log4j RCE – Variants and Updates

Change Log

The following table tracks changes to the advisory:

Date  Description
January 5, 2022 Updated to clarify that CVE-2021-44832 does not affect Autonomous Identity
January 4, 2022 Updated to note new vulnerability (CVE-2021-44832) and advice to upgrade to Log4j version 2.17.1
December 22, 2021 Added new fixed versions to address CVE-2021-45105 & CVE-2021-45046 for Autonomous Identity; added section for Log4j1 to clarify its status
December 20, 2021 Updated to note new vulnerability (CVE-2021-45105) and advice to upgrade to Log4j version 2.17.0
December 16, 2021 Add fixed versions and release notes for Autonomous Identity
December 15, 2021 Updated to note new vulnerability (CVE-2021-45046) and advice to upgrade to Log4j version 2.16.0
December 14, 2021 Updated to provide clarity around supported versions and added recommendation for older unsupported versions
December 13, 2021 Updated to note the SecurID authentication module and its use of the Log4j library; updated the Recommendations section to be more specific
December 10, 2021 Initial release

Java JDK Security Advisory #202109

ForgeRock are aware of a serious vulnerability in the implementation of certain cryptographic operations in Java JDK versions 15 and later. This affects Oracle® Java® and OpenJDK, including other JDKs derived from OpenJDK. You should follow the advice in this advisory to secure your deployments at the earliest opportunity.

Identity Cloud customers

This advisory does not apply to the ForgeRock Identity Cloud. This advisory only applies to software deployments of the ForgeRock Identity Platform. 

November 18, 2021

ForgeRock are aware of a serious vulnerability in the implementation of certain cryptographic operations in Java JDK versions 15 and later. This affects Oracle Java and OpenJDK, including other JDKs derived from OpenJDK. ForgeRock have informed the OpenJDK vulnerability team about the issue and a fix is being worked on. Until a fix is ready from your JDK vendor, ForgeRock advises our customers not to deploy to production with any affected versions of Java.

As this is a bug in the Java runtime environment, ForgeRock is not able to offer patches. We recommend following the advice or workarounds in this advisory.

Note

ForgeRock supports customers using Java 8 and 11. Other versions might work as well; in which case you should note the suggested Bouncy Castle workaround. However, when opening a support ticket for an issue, please make sure you can also reproduce the problem on a supported Java version.

Workarounds

You can secure your deployments using one of the following two options:

  • Option 1: Deploy ForgeRock products with Java 11 only. This is the preferred solution. Java 11 is the only long-term supported (LTS) Java version supported for most ForgeRock products.
  • Option 2: Configure your JVM to use Bouncy Castle as the preferred cryptographic provider as these libraries are not vulnerable. You will need to ensure the corresponding JCE provider JAR is installed and then configure it as the preferred provider in the java.security file (this can be found in the $JAVA_HOME directory; the exact path varies by version but a common location is $JAVA_HOME/conf/security).

Setting up Bouncy Castle Example (Applies only to Option 2)

  1. Download the latest bcprov-ext-jdk15on-xxx.jar and bcprov-jdk15on-xxx.jar files from Bouncy Castle if needed; they are listed in the SIGNED JAR FILES section.
  2. Copy these two jar files to a directory that the JVM searches.
  3. Ensure the file permissions for these two jar files are set to allow them to be read.
  4. Update the list of security providers in the JVM to put Bouncy Castle first and then renumber the other security providers to follow. This list is set in the java.security text file. The security provider list should now look similar to this: security.provider.1=BC|org.bouncycastle.jce.provider.BouncyCastleProvider security.provider.2=SUN [...]This step is recommended by Bouncy Castle and you can read more about it here: The Legion of the Bouncy Castle - Specifications.
  5. Save this file and restart the relevant ForgeRock product.

See Configure the Provider for further information.

Change Log

The following table tracks changes to the advisory:

Date  Description
November 18, 2021 Initial release

Copyright and Trademarks Copyright © 2021 - 2022 ForgeRock, all rights reserved.

This content has been optimized for printing.