Critical RCE Vulnerability in ForgeRock Access Management

Cybersecurity agencies in U.S. And Australia are warning of an actively exploited vulnerability impacting ForgeRock’s OpenAM access management solution.

Attackers are actively exploiting a critical, pre-authorization remote-code execution (RCE) vulnerability in the popular Access Management platform from digital identity management firm ForgeRock.

ForgeRock Access Management is a commercial open-access management solution that is based on OpenAM, an open-source access management solution. 

The Cybersecurity and Infrastructure Security Agency (CISA) warned on Monday that an attacker exploiting this vulnerability can execute commands in the context of the current user. The vulnerability affects Access Management versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, and 6.5.3 and older unsupported versions.

Tracked as CVE-2021-35464, the issue concerns a pre-authentication remote code execution (RCE) vulnerability in ForgeRock Access Manager identity and access management tool and stems from an unsafe Java deserialization in the Jato framework used by the software.

Also on Monday, ForgeRock said in an updated security notice that the vulnerability does not affect Access Management 7 and above. This affects only a subset of ForgeRock customers that use older versions of the company’s Access Management product.


CISA recommends Access Management users:

The ACSC strongly recommends that Australian organizations urgently:

  • Review their systems and networks for the presence of vulnerable instances of the OpenAM software; and
  • Update to OpenAM version 7 or apply the workaround as identified by the ForgeRock Security Advisory #202104.

If you are unable to upgrade or apply mitigations to your OpenAM instance, ACSC recommends isolating it from the internet or shutting down the server.

Leave a Reply

Your email address will not be published.