Vulnerability Details : CVE-2021-35464
Public exploit exists!
Used for ransomware!
ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier
Vulnerability category: Execute code
CVE-2021-35464 is in the CISA Known Exploited Vulnerabilities Catalog
This issue is known to have been leveraged as part of a ransomware campaign.
CISA vulnerability name:
ForgeRock Access Management (AM) Core Server Remote Code Execution Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
ForgeRock Access Management (AM) Core Server allows an attacker who sends a specially crafted HTTP request to one of three endpoints (/ccversion/Version, /ccversion/Masthead, or /ccversion/ButtonFrame) to execute code in the context of the current user (unless ForgeRock AM is running as root user, w
Added on
2021-11-03
Action due date
2021-11-17
Exploit prediction scoring system (EPSS) score for CVE-2021-35464
97.35%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2021-35464
-
ForgeRock / OpenAM Jato Java Deserialization
Disclosure Date: 2021-06-29First seen: 2021-07-09exploit/multi/http/cve_2021_35464_forgerock_openamAuthors: - Michael Stepankin - bwatters-r7 - Spencer McIntyre - jheysel-r7
CVSS scores for CVE-2021-35464
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2021-35464
-
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-35464
-
https://backstage.forgerock.com/knowledge/kb/article/a47894244
AM Security Advisory #202104 - Knowledge - BackStageExploit;Vendor Advisory
-
http://packetstormsecurity.com/files/163525/ForgeRock-Access-Manager-OpenAM-14.6.3-Remote-Code-Execution.html
ForgeRock Access Manager/OpenAM 14.6.3 Remote Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://bugster.forgerock.org
System Dashboard - ForgeRock JIRABroken Link
-
http://packetstormsecurity.com/files/163486/ForgeRock-OpenAM-Jato-Java-Deserialization.html
ForgeRock / OpenAM Jato Java Deserialization ≈ Packet StormExploit;Third Party Advisory;VDB Entry
Products affected by CVE-2021-35464
- cpe:2.3:a:forgerock:openam:*:*:*:*:*:*:*:*
- cpe:2.3:a:forgerock:am:*:*:*:*:*:*:*:*