Cybersecurity agencies in U.S. And Australia are warning of an actively exploited vulnerability impacting ForgeRock’s OpenAM access management solution.
Attackers are actively exploiting a critical, pre-authorization remote-code execution (RCE) vulnerability in the popular Access Management platform from digital identity management firm ForgeRock.
ForgeRock Access Management is a commercial open-access management solution that is based on OpenAM, an open-source access management solution.
The Cybersecurity and Infrastructure Security Agency (CISA) warned on Monday that an attacker exploiting this vulnerability can execute commands in the context of the current user. The vulnerability affects Access Management versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, and 6.5.3 and older unsupported versions.
Tracked as CVE-2021-35464, the issue concerns a pre-authentication remote code execution (RCE) vulnerability in ForgeRock Access Manager identity and access management tool and stems from an unsafe Java deserialization in the Jato framework used by the software.
Also on Monday, ForgeRock said in an updated security notice that the vulnerability does not affect Access Management 7 and above. This affects only a subset of ForgeRock customers that use older versions of the company’s Access Management product.
CISA recommends Access Management users:
- Review the ForgeRock Security Advisory.
- Check for vulnerable instances of the Access Management software (see ForgeRock’s Technical Impact Assessment); and
- Prioritize deploying an update to Access Management version 7 or apply the workaround urgently.
The ACSC strongly recommends that Australian organizations urgently:
- Review their systems and networks for the presence of vulnerable instances of the OpenAM software; and
- Update to OpenAM version 7 or apply the workaround as identified by the ForgeRock Security Advisory #202104.
If you are unable to upgrade or apply mitigations to your OpenAM instance, ACSC recommends isolating it from the internet or shutting down the server.