[BreachExchange] Critical RCE Flaw in ForgeRock Access Manager Under Active Attack

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Tue Jul 13 11:00:54 EDT 2021


https://thehackernews.com/2021/07/critical-rce-flaw-in-forgerock-access.html

Cybersecurity agencies in Australia and the U.S. are warning of an actively
exploited vulnerability impacting ForgeRock's OpenAM access management
solution that could be leveraged to execute arbitrary code on an affected
system remotely.

"The [Australian Cyber Security Centre] has observed actors exploiting this
vulnerability to compromise multiple hosts and deploy additional malware
and tools," the organization said in an alert. ACSC didn't disclose the
nature of the attacks, how widespread they are, or the identities of the
threat actors exploiting them.

Tracked as CVE-2021-35464, the issue concerns a pre-authentication remote
code execution (RCE) vulnerability in ForgeRock Access Manager identity and
access management tool, and stems from an unsafe Java deserialization in
the Jato framework used by the software.

"An attacker exploiting the vulnerability will execute commands in the
context of the current user, not as the root user (unless ForgeRock AM is
running as the root user, which is not recommended)," the San
Francisco-headquartered software firm noted in an advisory.

"An attacker can use the code execution to extract credentials and
certificates, or to gain a further foothold on the host by staging some
kind of shell (such as the common implant Cobalt Strike)," it added.

The vulnerability affects versions 6.0.0.x and all versions of 6.5, up to
and including 6.5.3, and has been addressed in version AM 7 released on
June 29, 2021. ForgeRock customers are advised to move quickly to deploy
the patches to mitigate the risk associated with the flaw.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210713/5a62087e/attachment.html>


More information about the BreachExchange mailing list