I. Overview

Security researchers have disclosed a remote code execution vulnerability (CVE-2021-35464) in ForgeRock AM. Attackers can exploit the Java deserialization vulnerability in the Jato framework used by ForgeRock AM to construct malicious requests, trigger deserialization, and execute arbitrary code, controlling the ForgeRock AM server.

ForgeRock AM is an open-source access management and permission control platform. If you are a ForgeRock AM user, check your system and implement timely security hardening.

Reference: https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

ForgeRock AM 6.0.0.x

ForgeRock AM 6.5.0.x

ForgeRock AM 6.5.1

ForgeRock AM 6.5.2.x

ForgeRock AM 6.5.3

Secure version:

ForgeRock AM 7

IV. Vulnerability Handling

This vulnerability has been fixed in newly released versions. If your service version falls into the affected range, upgrade it to a latest secure version.

https://backstage.forgerock.com/downloads/browse/am/featured

HUAWEI CLOUD WAF can defend against these vulnerabilities. If you are a WAF user, set the basic web protection status to Block. For details, see Configuring Basic Web Protection Rules.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.