CVE-2021-35464: ForgeRock AM remote code execution vulnerability

ForgeRock AM is open-source access management and permission control platform, which is widely used in universities and social organizations.
On June 30, 2021, PortSwigger released a vulnerability analysis report on ForgeRock AM remote code execution vulnerabilities, the vulnerability number is CVE-2021-35464. An unauthenticated attacker can execute arbitrary code remotely by constructing a special request and take over the server running ForgeRock AM. Due to ForgeRock AM’s own permission management function, the attacker can directly access other sensitive services to carry out further attacks while controlling the ForgeRock AM server.
CVE-2021-35464
This vulnerability does not require identity authentication, does not require any user interaction, and the complex attack is low. At the same time, because it is a key identity authentication service, once it is attacked, it will lead to very serious consequences and extreme risk.

Affected version

  • versions 6.0.0.x and all versions of 6.5, up to and including 6.5.3

Solution

In this regard, we recommend that users upgrade ForgeRock AM to the latest version in time.