Critical RCE Vulnerability in ForgeRock OpenAM Under Active Attack
#1
Information 
Quote:Attackers are actively exploiting a critical, pre-authorization remote-code execution (RCE) vulnerability in the popular Access Management platform from digital identity management firm ForgeRock.
 
Access Management, a commercial access-management platform, is based on the OpenAM open-source access-management platform for web applications. The platform front-ends web apps and remote-access setups in many enterprises.
 
On Monday morning, the Cybersecurity and Infrastructure Security Agency (CISA) warned that the vulnerability could enable attackers to execute commands in the context of the current user. The flaw can be found in Access Management versions below 7.0 running on Java 8. That means 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3, as well as older, unsupported versions are all sitting ducks.
 
Also on Monday, ForgeRock said in an updated security advisory that the flaw doesn’t affect Access Management 7 and above. It only impacts a subset of ForgeRock customers who are using older versions of the company’s Access Management product.
 
An exploit for the critical vulnerability at the heart of the matter – CVE-2021-35464 – was first reported by Michael Stepankin, a researcher for the cybersecurity firm PortSwigger, on June 29. In his report, Stepankin explained that he created a new Ysoserial deserialization gadget chain specifically for the exploit.

Read more: Critical RCE Vulnerability in ForgeRock OpenAM Under Active Attack | Threatpost
[-] The following 1 user says Thank You to silversurfer for this post:
  • harlan4096
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
GFYI [Official] Ashampoo New Year 2025 G...
  We at Geeks Fo...jasonX — 11:22
GFYI [Official] FastestVPN New Year 2025...
  We at Geeks Fo...jasonX — 11:09
GFYI [Official] Revo Uninstaller Pro v5...
GIVEAWAY HAS ENDED. ...jasonX — 10:52
GFYI [Official] EaseUS Christmas 2024 B...
GIVEAWAY HAS ENDED. ...jasonX — 10:51
GFYI [Official] EaseUS Christmas 2024 B...
GIVEAWAY HAS ENDED. ...jasonX — 10:51

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
avatar (49)theoldevext
avatar (44)algratCep
avatar (49)Qlaude2Sap
avatar (43)tabthinLem
avatar (50)Josepharelf
avatar (39)kholukrefar
avatar (48)Lauraimike
avatar (50)WilsonWag
avatar (48)StevenPiole
avatar (39)zetssToomy
avatar (46)GornOr
avatar (49)Jamesmog
avatar (37)opeqyrav
avatar (38)theatidere
avatar (47)denisEquivok
avatar (35)mikebrian01
avatar (37)ivanoFloom
avatar (40)uxegihor

[-]
Online Staff
There are no staff members currently online.

>