This article has been archived and is no longer maintained by ForgeRock.
The status of ForgeRock products and this vulnerability is as follows:
If you utilize remote JMX monitoring, your deployment would be vulnerable regardless of which ForgeRock product you use; this monitoring facility uses Java serialization and one of the exploitable classes (com.sun.org.apache.xalan.internal.xsltc trax.TemplatesImpl) is available in the JDK.
The security fix to prevent potential exploitation of serialized objects resulted in a new openam.deserialisation.classes.whitelist property that lists valid classes when OpenAM performs object deserialization. There are some known issues with this property where several classes were initially missed from the default settings.
Refer to the following articles for further information on these classes and details on how to reinstate them: