CVE-2021-35464

What is ForgeRock Access Management?

ForgeRock Access Management (AM) is an enterprise identity and access management (IAM) platform deployed by large organizations — including financial institutions, healthcare providers, telecoms, and government agencies — to provide single sign-on (SSO), multi-factor authentication, and federation services. ForgeRock AM acts as the authentication gateway for all protected applications in an organization; compromising it grants the ability to forge authentication tokens for any user in the system, impersonate administrators, and gain access to all SSO-protected applications. ForgeRock AM is a successor/fork of OpenAM (originally from Sun Microsystems/Oracle).

Overview

CVE-2021-35464 is a pre-authentication Java deserialization remote code execution vulnerability (CWE-502) in ForgeRock Access Management Core Server. Three specific endpoints — /ccversion/Version, /ccversion/Masthead, and /ccversion/ButtonFrame — accept serialized Java objects without authentication and deserialize them without adequate type validation. An attacker can send a crafted serialized Java object (using ysoserial-style gadget chains) to any of these endpoints and achieve code execution on the ForgeRock AM server. This was exploited by ransomware operators and suspected nation-state actors.

Affected Versions

Technical Details

The three vulnerable endpoints in ForgeRock AM handle browser-compatibility and version detection functions that predate the current authentication architecture. They were designed to be publicly accessible (no login required) but still process Java object input:

• Root cause: Insecure deserialization (CWE-502) — the endpoints deserialize incoming data using Java's ObjectInputStream without restricting allowed types
• Vulnerable endpoints: /ccversion/Version, /ccversion/Masthead, /ccversion/ButtonFrame
• Exploitation: Attacker crafts a serialized Java object using a gadget chain (e.g., Commons Collections, Commons BeanUtils) that triggers OS command execution during deserialization
• Authentication required: None — the endpoints are publicly accessible
• Execution context: Code executes as the ForgeRock AM application server process — often a highly privileged account managing enterprise authentication

Discovery

Discovered by security researcher Shubham Shah and others examining legacy ForgeRock AM endpoint security. The endpoints inherited vulnerable deserialization patterns from the OpenSSO/OpenAM codebase.

Exploitation Context

Confirmed exploitation by ransomware operators and nation-state actors. ForgeRock AM is deployed primarily in high-value enterprise environments — financial institutions, government agencies, healthcare organizations — making it a priority target. Compromising the authentication gateway enables silent access to all SSO-protected applications without triggering user authentication alerts.

Remediation

1. Upgrade ForgeRock AM to version 7.1 or later, or apply the available patches for 6.5.x and 7.0.x
2. If immediate patching is not possible, apply the ForgeRock-provided workaround: restrict access to the /ccversion/ URL path via web server or WAF rules
3. Review ForgeRock AM access logs for POST requests to /ccversion/ endpoints from unexpected sources
4. Audit all SSO-protected applications for unauthorized access that may have occurred during the exploitation window
5. Rotate ForgeRock AM administrative credentials and review federation trust relationships
6. Consider deploying a WAF to block Java deserialization attack patterns (Base64-encoded aced0005 serialized object headers) against all application server endpoints