Headline
CVE-2022-3748: AM Security Advisory #202207 | ForgeRock Backstage
Improper Authorization vulnerability in ForgeRock Inc. Access Management allows Authentication Bypass.This issue affects Access Management: from 6.5.0 through 7.2.0.
Security Advisory
ForgeRock Identity Platform
Does not apply to Identity Cloud
Last updated Apr 13, 2023
A security vulnerability has been discovered in supported versions of Access Management (AM). This vulnerability affects all current versions of AM, and could be present in older unsupported versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory.
4 readers recommend this article
This security advisory only applies to software deployments of the ForgeRock Identity Platform. All relevant patches from this advisory have already been applied to ForgeRock Identity Cloud.
January 25, 2023
A security vulnerability has been discovered in supported versions of AM. This vulnerability affects all current versions of AM, and could be present in older unsupported versions.
The maximum severity of issues in this advisory is Critical.
The advice is to upgrade to the latest version to fix these issues. Alternatively, if that’s not possible at this time, you can apply one of the patches to mitigate these issues.
Details about this vulnerability are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.
You can download patches from Backstage for the following AM versions:
- AM 6.5.5
- AM 7.1.2 (updated to #202301)
- AM 7.1.3 (updated to #202301)
- AM 7.2.0 (updated to #202301)
Customers who obtained a patch with 202207 in the name for AM 7.x need to replace those patches with a 202301 version.
For Customers who had already raised a ticket for a custom 7.x patch, updated 202301 versions of those patches are being issued via the original support tickets.
Additional details are available in AM Security Advisory #202301.
See How do I install an AM patch (All versions) supplied by ForgeRock support? for further information on deploying the patch.
If you need a patch for a different version or you have existing patches, please raise a support ticket to obtain an updated patch; you should provide details of your existing patches when you raise the ticket to ensure we have the relevant details. See How do I use the patchinfo utility to check what patches are installed for AM or IG (All versions)? or How do I check what patches are installed for ForgeRock products? for further information.
Issue #202207-01 - Improper Authorization (CWE-285)
Affected versions
AM (all supported versions and perhaps older unsupported versions)
Fixed versions
AM 7.2.1, AM 7.3
Component
Core Server
Severity
Critical
Description:
A critical severity Improper Authorization (CWE-285) vulnerability has been discovered in supported versions of AM that can lead to user account impersonation and takeover.
Mitigation:
Due to the sensitive nature of this issue, please contact ForgeRock support by raising a ticket via Backstage. Please include “AM Security Advisory #202207” in the ticket subject.
Resolution:
Deploy the relevant patch.
Change Log
The following table tracks changes to the security advisory:
Date
Description
April 13, 2023
Made advisory available to everyone
April 5, 2023
Added fixed versions (AM 7.2.1, AM 7.3)
February 10, 2023
Updated content and added back updated patches for 7.1.2, 7.1.3 & 7.2.0
February 6, 2023
Expanded visibility of this advisory to partners
February 3, 2023
Removed AM 7.2.0 and AM 7.1.3 download links whilst these patches are updated
February 1, 2023
Removed AM 7.1.2 download link
January 25, 2023
Initial release
Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.