CVE-2021-4201: AM Security Advisory #202110 - Knowledge

Identity Cloud customers

This security advisory does not apply to the ForgeRock Identity Cloud. This security advisory only applies to software deployments of the ForgeRock Identity Platform.

December 7, 2021

Security vulnerabilities have been discovered in supported versions of AM. These vulnerabilities affect versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.x and 7.1.0 and could be present in older unsupported versions.

The maximum severity of issues in this advisory is Critical.

The advice is to upgrade or apply a patch to mitigate these issues. In some cases, a workaround is given, which may be suitable, but an upgrade to the latest version is the recommended approach.

Details about these vulnerabilities are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.

In accordance with ForgeRock’s Maintenance and Patch availability policy, patches are available from BackStage for the following versions:

• AM 7.1.1 - AM 7.1.1 is a patch release; this patch release should be used to secure AM 7.1.0
• AM 7.0.2
• AM 6.5.3
• AM 6.5.2.3
• AM 6.5.1
• AM 6.5.0.2
• AM 6.0.0.7
• AM 5.5.2 *

* ForgeRock are providing a patch for AM 5.5.2 even though this is outside the scope of the Maintenance and Patch availability policy; please note that this action does not constitute a change to said policy.

See How do I install an AM patch (All versions) supplied by ForgeRock support? for further information on deploying the patch. If you have existing patches, please raise a ticket to obtain an updated patch.

Issue #202110-01: Broken Access Control

Affected versions

AM 5.5.2, 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.x and 7.1.0

Fixed versions

AM 6.5.4, AM 7.1.1

Component

Core Server

Severity

Critical

Description:

It may be possible to bypass some authentication controls and gain access to other users’ session tokens.

Workaround:

Block or restrict access to the PLL servlet endpoints:

• /authservice
• /sessionservice
• /profileservice
• /policyservice
• /namingservice
• /loggingservice

These are legacy endpoints, that are potentially used by ssoadm, Agents prior to version 5 and the OpenAM Java SDK (removed in AM 5.5.0). Additionally, in pre-AM 6 versions, these endpoints may be used for AM crosstalk. If you know these components are being used, then restrict the endpoint access to a trusted network, otherwise they can be blocked completely. More information on how to block these endpoints is found in the following KB article: Best practice for blocking the top level realm in a proxy for AM (All versions)

Resolution:

Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.1 is provided in the AM 7.1.1 patch release.

Issue #202110-02: Cross Site Scripting (XSS)

Affected versions

AM 5.5.2, 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3, 7.0.x and 7.1.0

Fixed versions

AM 6.5.4, AM 7.1.1

Component

Core Server

Severity

High

Description:

AM is vulnerable to cross-site scripting (XSS) attacks via the oauth2/authorize endpoint, which could lead to session hijacking or phishing.

Workaround:

The oauth2/authorize endpoint is used in some OAuth2/OIDC flows and by AM Agents 5 and above. You can protect the oauth2/authorize endpoint with the container (for example, using the mod_security Apache module) or filter external requests if the endpoint is not used, or until a patch is deployed.

Resolution:

Upgrade to a fixed version or deploy the relevant patch. The fix for AM 7.1 is provided in the AM 7.1.1 patch release.

The security advisory patch contains both a binary fix (which fixes known instances of the 202110-02 XSS issue) and a XUI fix (which includes additional hardening to help prevent any further XSS issues on this endpoint within the XUI).

If you have customized the XUI, you should apply the binary fix in the first instance (by removing the XUI directory from the patch before deploying it) and then you can apply the XUI fix to your XUI customizations by following the instructions in the README included in the advisory.

Acknowledgements

Maxime Escourbiac (https://cert.michelin.com/)

Maxence Schmitt (https://cert.michelin.com/)

Change Log

The following table tracks changes to the security advisory:

Date

Description

December 8, 2021

Added clarification to Issue #202110-02 about XUI customizations

December 7, 2021

Initial release