ForgeRock AM / OpenAM Deserialization RCE (CVE-2021-35464)
Description
ForgeRock Access Management (AM) and OpenAM versions prior to patching are vulnerable to insecure deserialization through the Jato framework, a component used internally for request handling. This vulnerability allows unauthenticated attackers to send maliciously crafted serialized Java objects to the application, which are then deserialized and executed without proper validation. Successful exploitation enables arbitrary code execution with the privileges of the application server.
Remediation
Take the following steps to remediate this vulnerability:
1. Immediate Action:
• Upgrade ForgeRock AM to version 7.0.0 or later, or apply the security patches provided in the ForgeRock Security Advisory for your specific version
• For OpenAM users, migrate to ForgeRock AM or apply available community patches if still supported
2. Verification:
• After patching, verify the fix by testing that serialized object inputs are properly validated or rejected
• Review application logs for any suspicious deserialization attempts or unusual DNS queries that may indicate prior exploitation
3. Additional Hardening:
• Implement network segmentation to restrict access to the AM/OpenAM server to only trusted networks
• Deploy a Web Application Firewall (WAF) with rules to detect and block Java deserialization attack patterns
• Monitor for outbound connections to unexpected domains as an indicator of compromise
Refer to the ForgeRock Security Advisory (https://backstage.forgerock.com/knowledge/kb/article/a47894244) for version-specific patch information and detailed upgrade instructions.