When was the exploit discovered?
On June 29, 2021, Michael Stepankin, a researcher for the cybersecurity firm PortSwigger first reported the vulnerability. To execute the exploit, he created a new Ysoserial deserialization gadget chain.
How does the exploit work?
The exploit attacks a known unsafe deserialization process in the underlying Java code used by OpenAM.
Let’s discuss the mechanisms of the attack. In Java, objects have a state that combines the values at a given point in time. For a real-world example, you could consider a car an object; then it would have various variables like color = red, weight = 3400lbs, year = 2017. In an Access Management tool, like OpenAM, an object could be a person with variables like firstname = John, lastname = Smith, PasswordLastSet = 7/1/21.
Objects in Java then go through serialization and deserialization processes. With serialization, the object (ex. car or user) state is turned into a byte stream (like “0011 0101…”). Then, when the software needs the objects’ state, it is deserialized from 0011 0101 to color = red.
The exploit attacks a known unsafe deserialization process in the underlying Java code used by OpenAM.
How was the vulnerability resolved?
ForgeRock patched the vulnerability in version 7.0 by entirely removing the ‘/ccversion’ endpoint and other legacy endpoints that were no longer needed. The researcher also found that OpenAM running Java version 9 or newer did not suffer from the issue as the required code to execute the exploit was removed.
What are the potential impacts?
Attackers leveraging this endpoint could potentially access downstream applications. In some OpenAM instances, accounts can be created on the fly, increasing the attack surface.
Do you need additional help?
If you aren’t sure how to protect your organization or you have additional questions about the attack, don’t hesitate to reach out to our engineers.
Contact us today to get started!
