module
ForgeRock / OpenAM Jato Java Deserialization
| Disclosed | Created |
|---|---|
| Jun 29, 2021 | Jul 10, 2021 |
Disclosed
Jun 29, 2021
Created
Jul 10, 2021
Description
This module leverages a pre-authentication remote code execution vulnerability in the OpenAM identity and
access management solution. The vulnerability arises from a Java deserialization flaw in OpenAM's
implementation of the Jato framework and can be triggered by a simple one-line GET or POST request to a
vulnerable endpoint. Successful exploitation yields code execution on the target system as the service user.
This vulnerability also affects the ForgeRock identity platform which is built on top of OpenAM and is thus
is susceptible to the same issue.
access management solution. The vulnerability arises from a Java deserialization flaw in OpenAM's
implementation of the Jato framework and can be triggered by a simple one-line GET or POST request to a
vulnerable endpoint. Successful exploitation yields code execution on the target system as the service user.
This vulnerability also affects the ForgeRock identity platform which is built on top of OpenAM and is thus
is susceptible to the same issue.
Authors
Michael Stepankin
bwatters-r7
Spencer McIntyre
jheysel-r7
bwatters-r7
Spencer McIntyre
jheysel-r7
Platform
Linux,Unix
Architectures
cmd, x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.