Apache Commons Collections vulnerability and ForgeRock products
The purpose of this article is to provide information on whether ForgeRock products (OpenAM, OpenDJ, OpenIDM and OpenIG) are vulnerable to the Apache™ Commons Collections issue and how to mitigate this vulnerability where applicable. The Commons Collections issue refers to Java® Object Serialization and the potential remote code execution vulnerability using the commons-collections-3.2.1.jar; specifically the org/apache/commons/collections/functors/InvokerTransformer.class within this jar file.
1 reader recommends this article
Archived
This article has been archived and is no longer maintained by ForgeRock.
ForgeRock products
The status of ForgeRock products and this vulnerability is as follows:
Product | Vulnerable | Details |
---|---|---|
OpenAM | Yes |
|
OpenDJ | No | N/A |
OpenIDM | No |
|
OpenIG | No | N/A |
Note
If you utilize remote JMX monitoring, your deployment would be vulnerable regardless of which ForgeRock product you use; this monitoring facility uses Java serialization and one of the exploitable classes (com.sun.org.apache.xalan.internal.xsltc trax.TemplatesImpl) is available in the JDK.
OpenAM
The security fix to prevent potential exploitation of serialized objects resulted in a new openam.deserialisation.classes.whitelist property that lists valid classes when OpenAM performs object deserialization. There are some known issues with this property where several classes were initially missed from the default settings.
Refer to the following articles for further information on these classes and details on how to reinstate them:
- Configuration servers are not listed under Directory Configuration in OpenAM console 11.0.3, 12.0.1 or 12.0.2
- WARNING: WhitelistObjectInputStream.resolveClass message in logs for OpenAM 11.0.3, 12.0.1 and 12.0.2
See Also
COLLECTIONS-580 - Arbitrary remote code execution with InvokerTransformer
Apache Commons statement to widespread Java object de-serialisation vulnerability
Related Training
N/A
Related Issue Tracker IDs
N/A