Hackers exploit a new vulnerability in the ForgeRock Access Management platform
The Cybersecurity and Infrastructure Security Agency (CISA) has warned that hackers are exploiting a dangerous vulnerability in ForgeRock’s popular Access Management platform.
Access Management is a commercial access control platform based on the OpenAM open-source access control platform for web applications.
As reported in the CISA notice, a vulnerability (CVE-2021-35464) allows attackers to execute commands in the context of the current user. The vulnerability affects versions of Access Management prior to 7.0 running on Java 8: 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x, 6.5.3 and earlier, no longer supported versions. Access Management version 7.0 and later are not affected by this vulnerability.
PortSwigger specialist Michael Stepankin was the first to report the vulnerability on June 29, 2021. To exploit the vulnerability, he created a whole chain of Ysoserial deserialization gadgets.
Published on GitHub, Ysoserial is a PoC tool for generating payloads using unsafe deserialization of a Java object. Serialization is a mechanism for converting the state of an object to a stream of bytes. Deserialization, in turn, is a reverse process — the mechanism by which a stream of bytes is used to recreate a real Java object in memory.
Within a few hours after Stepankin’s disclosure of the vulnerability, ForgeRock issued recommendations to address it. An update fixing the vulnerability was released on July 9th.
Catch up on more articles here
Follow us on Twitter here