ForgeRock Releases Security Update for Access Management
Affected platforms
The following platforms are known to be affected:
ForgeRock Access Management Versions: 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3
Threat details
Introduction
ForgeRock has released a security update to address a critical vulnerability in Access Management that may allow an attacker to exploit this vulnerability to perform remote code execution (RCE) and take control of a system.
Remediation advice
Affected organisations are encouraged to review the ForgeRock AM Security Advisory #202104 and apply the necessary update or workarounds.
Remediation steps
| Type | Step |
|---|---|
| Patch |
If possible, apply the AM 6.5.3 patch, which works for all AM 6.x versions. You must be logged in to download the patch. https://backstage.forgerock.com/downloads/browse/am/all/productId:am/minorVersion:6.5/version:6.5.3 |
| Guidance |
Workaround 1: Disable the VersionServlet mapping by commenting out the following section in the AM web.xml file (located in the /path/to/tomcat/webapps/openam/WEB-INF directory): <servlet-mapping> <servlet-name>VersionServlet</servlet-name> <url-pattern>/ccversion/*</url-pattern> </servlet-mapping> To comment out the above section, apply the following changes to the web.xml file and then restart Tomcat: <!-- <servlet-mapping> <servlet-name>VersionServlet</servlet-name> <url-pattern>/ccversion/*</url-pattern> </servlet-mapping> --> |
| Guidance |
Workaround 2: Block access to the ccversion endpoint using a reverse proxy or other method. On Apache Tomcat, ensure that access rules cannot be bypassed using known path traversal issues: Tomcat path traversal via reverse proxy mapping. |
Last edited: 13 July 2021 10:54 am