CVE-2021-35464 – ForgeRock Access Management (AM) Core Server Remote Code Execution Vulnerability

https://notcve.org/view.php?id=CVE-2021-35464

ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier El servidor ForgeRock AM anterior a la versión 7.0 tiene una vulnerabilidad de deserialización de Java en el parámetro jato.pageSession en varias páginas. La explotación no requiere autenticación, y la ejecución remota de código se puede desencadenar mediante el envío de una única solicitud /ccversion/* manipulada al servidor. La vulnerabilidad existe debido al uso de Sun ONE Application Framework (JATO) que se encuentra en las versiones de Java 8 o anteriores ForgeRock Access Management (AM) Core Server allows an attacker who sends a specially crafted HTTP request to one of three endpoints (/ccversion/Version, /ccversion/Masthead, or /ccversion/ButtonFrame) to execute code in the context of the current user (unless ForgeRock AM is running as root user, which the vendor does not recommend). • https://www.exploit-db.com/exploits/50131 https://github.com/Y4er/openam-CVE-2021-35464 https://github.com/rood8008/CVE-2021-35464 http://packetstormsecurity.com/files/163486/ForgeRock-OpenAM-Jato-Java-Deserialization.html http://packetstormsecurity.com/files/163525/ForgeRock-Access-Manager-OpenAM-14.6.3-Remote-Code-Execution.html https://backstage.forgerock.com/knowledge/kb/article/a47894244 https://bugster.forgerock.org https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464 • CWE-502: Deserialization of Untrusted Data •