As part of Hub City Media’s ongoing efforts to ensure ForgeRock IAM environments remain secure, we are advising that ForgeRock has released Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

AM Web Agents

Product: AM Web Agent, versions 5, 5.0.x, 5.1.x, 5.5.x, 5.6.0

Subcomponent(s): Web Agent

Issue Number(s): 201902-01, 201902-03, 201902-04

Vulnerability Details:

These vulnerabilities allow:  

• AM Web Agents to be started with misconfigured notifications, which will give revoked sessions the ability to access protected resources

• AM Web Agent heap memory to be extracted by a local attacker, exposing sensitive information

• Mishandled String operations to potentially crash the AM Web Agent

These vulnerabilities are resolved in AM Web Agent version 5.6.1.0

AM Java Agents

Product: AM Web Agent, versions 5, 5.0.x, 5.1.x, 5.5.x, 5.6.0

Subcomponent(s): Java Agent, jackson-databind 2.x

Issue Number(s): 201902-02

Vulnerability Details:

These vulnerabilities allow:  

• A remote user to access local files through an issue with Polymorphic Typing in FasterXML jackson-databind 2.x before 2.9.9

These vulnerabilities are resolved in AM Java Agent version 5.6.1.0

AM/OpenAM

Product: AM versions 6.5.0-6.5.0.1, 6.0.0-6.0.0.6, 5.0.0-5.5.1

OpenAM versions 

Subcomponent(s): AM/OpenAM Core Server

Issue Number(s): 201901-01, 201901-02, 201901-03, 201901-04, 201901-05, 201901-06, 201901-07, 201901-08

Vulnerability Details:

These vulnerabilities allow:  

• A man-in-the-middle attack to be performed on AM/OpenAM Core Server through certain configurations of OAuth2 clients

• Policies to be created for unentitled resources through a bug in access control

• Takeover of AM/OpenAM Core Server through a cross-site scripting attack 

• Server certificates to be incorrectly configured due to TLS hostname verification being disabled by default on some services

• Authentication to be bypassed in certain SAML session upgrade scenarios

• An attacker to redirect an end user to a site they control through Agent based CDSSO not correctly validating redirect URLs

• Memory account lockout to fail to work

• Redirect URLs to be unvalidated through improper error handling by OAuth2

These vulnerabilities are resolved in versions 6.5.0.2 or 6.0.0.7 depending on your current version of AM/OpenAM.

As part of Hub City Media’s ongoing efforts to ensure ForgeRock IAM environments remain secure, we are advising that ForgeRock has released a security advisory update for Directory Services. 

To maintain the best possible security posture, please review this patch with your team.

For assistance with applying this patch, contact us. 

ForgeRock Directory Services 5.5.2

Component: Core Server

Security Advisory #201803: ForgeRock has discovered a Medium-level security vulnerability in ForgeRock Directory Services (DS) 5.0.0, 5.5.0, 5.5.1, 6.0.0 and in OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3. The vulnerability also affects embedded DS / OpenDJ in AM 5.x, AM 6.0 and OpenAM 13.x as well as IDM 6.0.

Release Notes for 5.5.2: ForgeRock maintenance releases provide fixes to existing bugs that improve functionality, security and performance for your DS deployment. No new features have been introduced. The release can be deployed as an initial deployment or used to upgrade from an existing version.

Vulnerability Details: The password policy response control is returned incorrectly when an account is locked and a bind operation for the account includes the correct password. As a result, it is possible to brute force a locked account’s password even after it has been locked due to too many authentication failures.

Resolution: Update / upgrade to DS 5.5.2 or deploy the relevant patch bundle.