Patch Fixing AM Vulnerability Now Available for ForgeRock AM 6.x

A patch to address a recently disclosed Access Management (AM) vulnerability is now available. More details as well as immediate workaround measures are .contained in the  security advisory here . This does not affect AM 7 and above nor ForgeRock Identity Cloud.

IMPORTANT: If you have not done so already, we advise you to take immediate action to implement one of the workarounds or the patch described in the security advisory as soon as possible. 

For more guidance, please consult the Technical Impact Assessment CVE-2021-35464 document, which provides more detailed information on the issue and how to determine if you have been impacted. Customers who think they have been impacted should file a support ticket on backstage.forgerock.com to request assistance. 

If we identify additional issues, we will take action as needed to help protect our customers. 

FAQs

What action do I take if I use a reverse proxy?

A reverse proxy is effective if it has been configured to block access to the vulnerable endpoint. Unless this has been done, a reverse proxy on its own is not sufficient. Customers should also be aware of common ways that reverse proxies can be bypassed, such as path traversal issues and request smuggling. We would therefore strongly advise applying the workaround and patch immediately.

What if my endpoint is not exposed currently?

We would still recommend applying the patch immediately in case the endpoint can be accessed. 

I’m not on version 6. Does this vulnerability impact me? 

Older versions are also impacted and should be addressed immediately per the advisory. If you are running version 7.0 or above then you are not impacted. 

I’m not on Java 8, do I need to take any action? 

Although parts of JATO rely on functionality that is not present in later versions of Java, we would not recommend relying on this to prevent the attack. Customers running on Java 9 or above should still follow the guidance in the advisory.

If I’m still in implementation mode, and not live yet do I need to take any action? 

Customers should apply the patch at their earliest convenient opportunity before go-live.