The Australian and US governments have issued warnings about an actively exploited vulnerability in OpenAM, which could allow attackers to execute arbitrary code remotely. OpenAM is ForgeRock’s open-source access management, entitlements, and federation solution used by enterprises.
The Australian Cyber Security Centre said that it has spotted attackers exploiting a major vulnerability in ForgeRock’s platform that enables attackers to compromise multiple hosts and deploy additional malware.
ACSC didn’t disclose the identities of the threat actors nor the nature of the attacks.
This issue, tracked as CVE-2021-35464, pertains to a pre-authentication RCE vulnerability that could lead to the exploitation of ForgeRock Access Manager. It is caused by an unsafe Java deserialization configuration in the Jato framework used by the platform.
Successful exploitation of the flaw could allow an attacker to execute arbitrary commands in the context of a current user, not as the root user, the San Francisco-headquartered company noted.
An attacker can execute a code execution to extract sensitive information, like credentials and certificates, from a vulnerable host. They can also gain a foothold by staging a shell attack with the use of Cobalt Strike or another similar tool.
The issue can affect versions 6.0.0.x and all versions of 6.5, up to and including 6.5.3, and it has been addressed in version 7. ForgeRock advises customers to quickly apply the patches.
The ACSC strongly recommends that Australian organizations urgently:
“Review their systems and networks for the presence of vulnerable instances of the OpenAM software; and Update to OpenAM version 7 or apply the workaround as identified by the ForgeRock Security Advisory #202104.”
