Login Sign Up

CVE-2021-37153

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to bypass authentication in ForgeRock Access Management when configured with Active Directory as the Identity Store. It affects all versions before 7.0.2, potentially granting unauthorized access to protected systems and data.

💻 Affected Systems

Products:
  • ForgeRock Access Management
Versions: All versions before 7.0.2
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when configured with Active Directory as the Identity Store. Other identity stores are not affected.

📦 What is this software?

Access Management by Forgerock

View all CVEs affecting Access Management →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to impersonate any user, access sensitive data, and potentially pivot to other systems.

🟠

Likely Case

Unauthorized access to protected applications and data, privilege escalation, and credential theft.

🟢

If Mitigated

Limited impact with proper network segmentation, monitoring, and compensating controls.

🌐 Internet-Facing: HIGH - Authentication bypass on internet-facing systems allows direct exploitation without internal access.
🏢 Internal Only: HIGH - Internal systems remain vulnerable to insider threats or compromised internal accounts.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Authentication bypass vulnerabilities are typically easy to exploit once details are known. No public exploit code is confirmed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.0.2 or later

Vendor Advisory: https://backstage.forgerock.com/knowledge/kb/article/a55763454

Restart Required: Yes

Instructions:

1. Download ForgeRock AM 7.0.2 or later from official sources. 2. Backup current configuration and data. 3. Apply the update following ForgeRock's upgrade documentation. 4. Restart the AM service. 5. Verify functionality.

🔧 Temporary Workarounds

Change Identity Store

all

Temporarily switch from Active Directory to another supported identity store until patching is possible.

# Requires AM configuration changes via admin console or configuration files

Network Segmentation

linux

Restrict access to AM instances to trusted networks only.

# Use firewall rules to limit access: iptables -A INPUT -p tcp --dport 80,443,8443 -s trusted_network -j ACCEPT
# iptables -A INPUT -p tcp --dport 80,443,8443 -j DROP

🧯 If You Can't Patch

  • Implement strict network access controls to limit exposure
  • Enable detailed authentication logging and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check AM version via admin console or configuration files. If version is below 7.0.2 and configured with Active Directory, system is vulnerable.

Check Version:

# Check version in AM admin console or via: grep 'version' /path/to/am/web.xml

Verify Fix Applied:

Confirm AM version is 7.0.2 or higher and test authentication flows with Active Directory configuration.

📡 Detection & Monitoring

Log Indicators:

  • Failed authentication attempts followed by successful access
  • Authentication events from unexpected sources
  • Multiple authentication attempts with varying credentials

Network Indicators:

  • Unusual authentication traffic patterns
  • Requests bypassing normal authentication flows

SIEM Query:

source="am-access.log" (event="AUTHENTICATION_SUCCESS" AND NOT (preceding event="AUTHENTICATION_FAILURE" within 5s))

📊 Metadata

CVE ID: CVE-2021-37153
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: August 25, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON