CVE-2016-6500 Forgerock CVE debrief

Who should care

Administrators and operators running ForgeRock OpenIDM or OpenICF with the RACF Connector, especially where LDAP-related traffic or directory data may be influenced by untrusted parties.

Technical summary

The CVE description says unspecified methods in RACF Connector versions before 1.1.1.0 improperly call the SearchControls constructor with returnObjFlag set to true. NVD classifies the weakness as CWE-20 and assigns CVSS 3.0 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a remotely reachable issue with no privileges or user interaction required, but with high attack complexity. The impact can include code execution if an attacker can supply a crafted serialized Java object through the affected LDAP-related flow.

Defensive priority

High

Recommended defensive actions

• Upgrade ForgeRock RACF Connector to 1.1.1.0 or later.
• Review any LDAP-facing or connector-facing inputs for untrusted serialized Java objects.
• Restrict network access to the affected connector and any related directory services as much as possible.
• Monitor for unexpected LDAP entries, connector errors, or other signs of poisoning attempts.
• Consult the vendor advisory for product-specific mitigation and validation steps.

Evidence notes

The CVE was published on 2017-02-03; the supplied NVD record was later modified on 2026-05-13. The description states the issue affects RACF Connector before 1.1.1.0, while the NVD CPE criteria marks cpe:2.3:a:forgerock:racf_connector:* as vulnerable through 1.1.0.0 inclusive. The record links to a ForgeRock vendor advisory and identifies CWE-20 as the primary weakness.

Official resources