As part of Hub City Media’s ongoing efforts to ensure ForgeRock IAM environments remain secure, we are advising that ForgeRock has released a security advisory update for Directory Services.
To maintain the best possible security posture, please review this patch with your team.
ForgeRock Directory Services 5.5.2
Component: Core Server
Security Advisory #201803: ForgeRock has discovered a Medium-level security vulnerability in ForgeRock Directory Services (DS) 5.0.0, 5.5.0, 5.5.1, 6.0.0 and in OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3. The vulnerability also affects embedded DS / OpenDJ in AM 5.x, AM 6.0 and OpenAM 13.x as well as IDM 6.0.
Release Notes for 5.5.2: ForgeRock maintenance releases provide fixes to existing bugs that improve functionality, security and performance for your DS deployment. No new features have been introduced. The release can be deployed as an initial deployment or used to upgrade from an existing version.
Vulnerability Details: The password policy response control is returned incorrectly when an account is locked and a bind operation for the account includes the correct password. As a result, it is possible to brute force a locked account’s password even after it has been locked due to too many authentication failures.
Resolution: Update / upgrade to DS 5.5.2 or deploy the relevant patch bundle.