Apache Commons Collections vulnerability and ForgeRock products

Last updated Feb 2, 2022

The purpose of this article is to provide information on whether ForgeRock products (OpenAM, OpenDJ, OpenIDM and OpenIG) are vulnerable to the Apache™ Commons Collections issue and how to mitigate this vulnerability where applicable. The Commons Collections issue refers to Java® Object Serialization and the potential remote code execution vulnerability using the commons-collections-3.2.1.jar; specifically the org/apache/commons/collections/functors/InvokerTransformer.class within this jar file.

1 reader recommends this article

This article has been archived and is no longer maintained by ForgeRock.

ForgeRock products

The status of ForgeRock products and this vulnerability is as follows:

Product Vulnerable Details
OpenAM Yes
  • OpenAM 12.0.1 and later versions are not affected by this vulnerability.
  • OpenAM 12.0.0 and earlier versions are affected by this vulnerability. An OpenAM Security Advisory #201505 was released in July 2015, which fixes this vulnerability. It is strongly recommended that you either upgrade to the latest version of OpenAM or install the latest security advisory patch by downloading it from BackStage. All patches from previous security advisories are also included in the latest patches for currently supported versions. See OpenAM section below for further information.
OpenDJ No N/A
OpenIDM No
  • OpenIDM 3.1.0 includes the Apache Commons Collections v3.2.1 library as a dependency to the Scripted Groovy connector samples (scriptedcrest2dj and scriptedrest2dj) and this is required by the HTTPBuilder library in use within the sample groovy CustomizerScript. The OOTB scripts do not perform or rely upon deserialization of Java Objects and therefore do not expose a vulnerability. If you use the Scripted Groovy connector samples as a basis for your own projects, you should ensure you do not introduce code which would expose a vulnerability.
  • You can remove the Apache Commons Collections library from your production environment, if required, by removing any dependencies within the Groovy Connector scripts and then deleting the commons-collections-3.2.1.jar (located in the /path/to/openidm/lib directory).
OpenIG No N/A

If you utilize remote JMX monitoring, your deployment would be vulnerable regardless of which ForgeRock product you use; this monitoring facility uses Java serialization and one of the exploitable classes ( trax.TemplatesImpl) is available in the JDK.


The security fix to prevent potential exploitation of serialized objects resulted in a new openam.deserialisation.classes.whitelist property that lists valid classes when OpenAM performs object deserialization. There are some known issues with this property where several classes were initially missed from the default settings.

Refer to the following articles for further information on these classes and details on how to reinstate them:

See Also

Configuration servers are not listed under Directory Configuration in OpenAM console 11.0.3, 12.0.1 or 12.0.2

WARNING: WhitelistObjectInputStream.resolveClass message in logs for OpenAM 11.0.3, 12.0.1 and 12.0.2

COLLECTIONS-580 - Arbitrary remote code execution with InvokerTransformer

Apache Commons statement to widespread Java object de-serialisation vulnerability

What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability.

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.