CVE-2021-35464
📋 TL;DR
CVE-2021-35464 is an unauthenticated remote code execution vulnerability in ForgeRock AM servers due to insecure Java deserialization in the jato.pageSession parameter. Attackers can exploit this by sending a single crafted request to trigger arbitrary code execution on vulnerable servers. Organizations running ForgeRock AM versions before 7.0 with Java 8 or earlier are affected.
💻 Affected Systems
- ForgeRock Access Manager (AM)
- ForgeRock OpenAM
📦 What is this software?
Openam by Forgerock
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, install malware, steal sensitive data, and pivot to other systems in the network.
Likely Case
Remote code execution leading to data theft, credential harvesting, and deployment of ransomware or backdoors on vulnerable servers.
If Mitigated
Limited impact if proper network segmentation, WAF rules, and intrusion detection are in place to block exploitation attempts.
🎯 Exploit Status
Multiple public exploit scripts and proof-of-concepts are available. Exploitation requires only a single HTTP request to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.0 or later
Vendor Advisory: https://backstage.forgerock.com/knowledge/kb/article/a47894244
Restart Required: Yes
Instructions:
1. Upgrade ForgeRock AM to version 7.0 or later. 2. Apply all security patches from ForgeRock. 3. Restart the AM service after upgrade.
🔧 Temporary Workarounds
Block vulnerable endpoints
allConfigure web application firewall or reverse proxy to block requests to /ccversion/* endpoints
# Example nginx location block
location ~ ^/ccversion/ { deny all; }
# Example Apache mod_rewrite
RewriteRule ^/ccversion/.*$ - [F]
Upgrade Java version
linuxUpgrade to Java 9 or later to remove vulnerable JATO framework dependency
# Check current Java version
java -version
# Install Java 11+
# Ubuntu/Debian: apt install openjdk-11-jdk
# RHEL/CentOS: yum install java-11-openjdk
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable servers from critical systems
- Deploy web application firewall with rules to detect and block deserialization attacks
🔍 How to Verify
Check if Vulnerable:
Check ForgeRock AM version and Java version. If AM < 7.0 and Java ≤ 8, system is vulnerable.Check Version:
# Check ForgeRock AM version
cat /path/to/am/version.txt
# Check Java version
java -versionVerify Fix Applied:
Verify AM version is ≥ 7.0 and Java version is ≥ 9. Test that /ccversion/* endpoints no longer accept malicious payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /ccversion/* endpoints
- Java deserialization errors in logs
- Unexpected process execution from AM service
Network Indicators:
- HTTP POST requests to /ccversion/* with serialized Java objects
- Base64 encoded payloads in URL parameters
SIEM Query:
source="*am*.log" AND (uri_path="/ccversion/*" OR message="*deserialization*" OR message="*jato*")🔗 References
- http://packetstormsecurity.com/files/163486/ForgeRock-OpenAM-Jato-Java-Deserialization.html
- http://packetstormsecurity.com/files/163525/ForgeRock-Access-Manager-OpenAM-14.6.3-Remote-Code-Execution.html
- https://backstage.forgerock.com/knowledge/kb/article/a47894244
- https://bugster.forgerock.org
- http://packetstormsecurity.com/files/163486/ForgeRock-OpenAM-Jato-Java-Deserialization.html
- http://packetstormsecurity.com/files/163525/ForgeRock-Access-Manager-OpenAM-14.6.3-Remote-Code-Execution.html
- https://backstage.forgerock.com/knowledge/kb/article/a47894244
- https://bugster.forgerock.org
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-35464
