OpenIdentityPlatform OpenAM Remote Code Execution Vulnerability via Unsafe Java Deserialization

A pre-authentication remote code execution vulnerability has been identified in OpenIdentityPlatform OpenAM versions prior to 16.0.6. The issue arises from unsafe deserialization of the 'jato.clientSession' HTTP parameter, which bypasses a mitigation applied to the 'jato.pageSession' parameter in response to a previous vulnerability (CVE-2021-35464). An unauthenticated attacker can exploit this flaw by sending a crafted serialized Java object as the 'jato.clientSession' parameter to any JATO ViewBean endpoint that includes '<jato:form>' tags, such as the Password Reset pages. This exploitation allows for arbitrary command execution on the server.

Impact

Exploitation of this vulnerability leads to pre-authentication remote code execution, allowing attackers to execute arbitrary OS commands as the application server user. This could result in a full server compromise, including lateral movement and data exfiltration.

Reproduction

To reproduce this vulnerability, send a crafted serialized Java object as the 'jato.clientSession' parameter to a JATO ViewBean endpoint that renders '<jato:form>' tags. The vulnerability can be tested on OpenIdentityPlatform OpenAM versions through 16.0.5, using the official release WAR on Apache Tomcat, or via the 'openidentityplatform/openam:latest' Docker image.

Remediation

Users are advised to update to OpenIdentityPlatform OpenAM version 16.0.6 or later. Additionally, apply 'WhitelistObjectInputStream' filtering to 'ClientSession.deserializeAttributes()' to match the mitigation already implemented for 'ConsoleViewBeanBase.deserializePageAttributes()'. Audit all calls to 'Encoder.deserialize()' for user-controlled input and consider adding a JVM-wide JEP 290 deserialization filter as an additional layer of defense.