Pre-auth RCE in ForgeRock Access Manager (CVE-2021-35464)

2021-07-2200:00:00

attackerkb.com

211

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%

JSON

ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier

Recent assessments:

ccondon-r7 at June 30, 2021 2:35pm UTC reported:

Trivial RCE with a one-line request. Rapid7 Labs is seeing this product in quite a few large enterprises—patch quickly. Shout-out to Portswigger for their excellent write-up: <https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464>

Update July 12, 2021: We now have reliable private reports of exploitation in the wild.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5