As part of Hub City Media’s ongoing efforts to ensure ForgeRock IAM environments remain secure, we are advising that ForgeRock has released Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

AM Web Agents

Product: AM Web Agent, versions 5, 5.0.x, 5.1.x, 5.5.x, 5.6.0

Subcomponent(s): Web Agent

Issue Number(s): 201902-01, 201902-03, 201902-04

Vulnerability Details:

These vulnerabilities allow:  

• AM Web Agents to be started with misconfigured notifications, which will give revoked sessions the ability to access protected resources

• AM Web Agent heap memory to be extracted by a local attacker, exposing sensitive information

• Mishandled String operations to potentially crash the AM Web Agent

These vulnerabilities are resolved in AM Web Agent version 5.6.1.0

AM Java Agents

Product: AM Web Agent, versions 5, 5.0.x, 5.1.x, 5.5.x, 5.6.0

Subcomponent(s): Java Agent, jackson-databind 2.x

Issue Number(s): 201902-02

Vulnerability Details:

These vulnerabilities allow:  

• A remote user to access local files through an issue with Polymorphic Typing in FasterXML jackson-databind 2.x before 2.9.9

These vulnerabilities are resolved in AM Java Agent version 5.6.1.0

AM/OpenAM

Product: AM versions 6.5.0-6.5.0.1, 6.0.0-6.0.0.6, 5.0.0-5.5.1

OpenAM versions 

Subcomponent(s): AM/OpenAM Core Server

Issue Number(s): 201901-01, 201901-02, 201901-03, 201901-04, 201901-05, 201901-06, 201901-07, 201901-08

Vulnerability Details:

These vulnerabilities allow:  

• A man-in-the-middle attack to be performed on AM/OpenAM Core Server through certain configurations of OAuth2 clients

• Policies to be created for unentitled resources through a bug in access control

• Takeover of AM/OpenAM Core Server through a cross-site scripting attack 

• Server certificates to be incorrectly configured due to TLS hostname verification being disabled by default on some services

• Authentication to be bypassed in certain SAML session upgrade scenarios

• An attacker to redirect an end user to a site they control through Agent based CDSSO not correctly validating redirect URLs

• Memory account lockout to fail to work

• Redirect URLs to be unvalidated through improper error handling by OAuth2

These vulnerabilities are resolved in versions 6.5.0.2 or 6.0.0.7 depending on your current version of AM/OpenAM.