CVE-2021-35464

Name of the Vulnerable Software and Affected Versions ForgeRock Access Management (AM) Core Server versions prior to 7.0 ForgeRock OpenAM version 14.6.3 and earlier

Description The issue is related to a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. This vulnerability allows for remote code execution without requiring authentication, which can be triggered by sending a crafted /ccversion/* request to the server. The vulnerability exists due to the incorrect usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier. It has been reported that this vulnerability has been exploited in real-world incidents, including a campaign by a financially motivated attacker targeting telecommunication service providers and business process outsourcing firms. The attacker used various tactics, including social engineering, to gain initial access to corporate networks and then used the vulnerability to execute code and elevate privileges on AWS.

Recommendations For ForgeRock Access Management (AM) Core Server versions prior to 7.0, update to version 7.0 or later to resolve the issue. For ForgeRock OpenAM version 14.6.3 and earlier, update to a version later than 14.6.3 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable jato.pageSession parameter to minimize the risk of exploitation. Avoid using the jato.pageSession parameter in the affected API endpoint until the issue is resolved.