ForgeRock AM Vulnerability Exploited in Attacks

Government agencies in the United States and Australia warn organizations that a vulnerability affecting ForgeRock Access Management has been exploited in the wild.

Offered by identity and access management solutions provider ForgeRock, Access Management (AM) is designed to allow organizations to manage various types of digital identities. AM is based on the OpenAM open source solution, which ForgeRock sponsored until 2016.

The vulnerability discovered in ForgeRock AM, tracked as CVE-2021-35464 and rated critical, is a Java deserialization issue that can be exploited by an unauthenticated attacker for remote code execution by sending a specially crafted request to an exposed system.

In its advisory, ForgeRock said, “An attacker can use the code execution to extract credentials and certificates, or to gain a further foothold on the host by staging some kind of shell (such as the common implant Cobalt Strike).”

According to the vendor, AM versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3 are impacted, as well as AM 5.x (no longer supported), and OpenAM versions 9.x through 13.x. AM version 7 is not affected.

The flaw was discovered by Michael Stepankin, a researcher at cybersecurity firm PortSwigger. Stepankin disclosed details of the vulnerability and shared proof-of-concept (PoC) code in late June, when ForgeRock announced the availability of a patch and workarounds.

The Australian Cyber Security Centre (ACSC) warned in an alert issued on July 7, roughly one week after a patch was released, that it had identified “a number of Australian organizations” that had been breached through the exploitation of this vulnerability.

“The ACSC has observed actors exploiting this vulnerability to compromise multiple hosts and deploy additional malware and tools,” the agency said.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Monday, but it’s unclear whether the agency has also observed attacks or if the warning is based on the ACSC alert, which is referenced by CISA.

ForgeRock noted that an attacker can exploit the vulnerability to execute code in the context of the current user, which is why it has advised organizations to ensure that AM is running with minimal privileges.

“The ForgeRock AM deployment should also have suitable firewall, or security groups attached which do not allow traffic in or out of the server where not explicitly required,” the company said.

*updated to clarify that version 7 of AM is not affected; added more information on affected products; headline modified;

Related: SolarWinds Confirms New Zero-Day Flaw Under Attack

Related: GitHub Informs Users of ‘Potentially Serious’ Authentication Bug

Related: XSS Vulnerability in Cisco Security Products Exploited in the Wild