A security vulnerability has been discovered in supported versions of ForgeRock Access Management (AM), according to the Australian Cyber Security Centre. The center observed actors exploiting this vulnerability in ForgeRock OpenAM against several Australian organizations. ForgeRock advises its users to take immediate action to either implement one of the workarounds or the patch as soon as possible. This vulnerability, ranked as CVE-2021-35464, was recently disclosed. Users can also read security advisory on this remote code execution flaw.
Discovered two weeks ago
Michael Stepankin, a researcher for the cybersecurity firm PortSwigger, reported this vulnerability first on June 29. In his blog post, Stepankin shared some details about creating a new Ysoserial deserialization gadget chain specifically for the exploit. Following this blog post, ForgeRock released an advisory to its customers to protect them from vulnerability. In 10 days, the company updated its advisory with a permanent fix.
During his research into OAuth vulnerabilities, Stepankin discovered the vulnerability. He talked about the flaw, saying,
“I discovered all servers that responded to the “/well-known/openid-configuration” URI and took a brief look at their configuration. As my intention was to find truly impactful vulnerabilities rather than just “something,” I decided to focus on the systems that are either open source or available to download and decompile. ForgeRock OpenAm was one such system that I found in the bug bounty scope. It appeared to me as a monstrous Java Enterprise application with a huge attack surface, so I decided to take a deeper look into it.”
The vulnerability allows hackers to remotely execute code on an affected system through a mechanism for remote code execution. The main goal of malicious actors is to compromise multiple hosts and deploy additional malware and tools. According to the company’s advisory guide, this flaw does not affect AM 7 and above nor ForgeRock Identity Cloud.