ForgeRock OpenAM Deserialization RCE (CVE-2021-29156)
Description
ForgeRock OpenAM versions prior to the patched release contain an LDAP injection vulnerability in the Webfinger protocol implementation. This flaw allows unauthenticated attackers to inject malicious LDAP queries through specially crafted requests. Successful exploitation enables attackers to extract sensitive data character-by-character, including password hashes, active session tokens, and private cryptographic keys stored in the LDAP directory.
Remediation
Immediately upgrade ForgeRock OpenAM to version 13.5.1, 14.6.4, or later, which contain patches for CVE-2021-29156. If immediate patching is not feasible, implement the following interim mitigations: (1) Deploy a Web Application Firewall (WAF) with rules to detect and block LDAP injection patterns in Webfinger requests, particularly filtering special LDAP characters such as *, (, ), \, and null bytes in user-supplied input. (2) Restrict network access to the OpenAM Webfinger endpoint to only trusted IP addresses or disable the Webfinger protocol entirely if not required for your deployment. (3) Monitor LDAP query logs for suspicious patterns indicating injection attempts, such as unusual filter syntax or excessive character-by-character queries. (4) After patching, rotate all potentially compromised credentials, session tokens, and cryptographic keys as a precautionary measure.