module
ForgeRock / OpenAM Jato Java Deserialization
| Disclosed |
|---|
| Jun 29, 2021 |
Disclosed
Jun 29, 2021
Description
This module leverages a pre-authentication remote code execution vulnerability in the OpenAM identity and
access management solution. The vulnerability arises from a Java deserialization flaw in OpenAM's
implementation of the Jato framework and can be triggered by a simple one-line GET or POST request to a
vulnerable endpoint. Successful exploitation yields code execution on the target system as the service user.
This vulnerability also affects the ForgeRock identity platform which is built on top of OpenAM and is thus
is susceptible to the same issue.
access management solution. The vulnerability arises from a Java deserialization flaw in OpenAM's
implementation of the Jato framework and can be triggered by a simple one-line GET or POST request to a
vulnerable endpoint. Successful exploitation yields code execution on the target system as the service user.
This vulnerability also affects the ForgeRock identity platform which is built on top of OpenAM and is thus
is susceptible to the same issue.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.