OpenIdentityPlatform OpenAM 16.0.5 exposes servers to pre-authentication remote code execution. Attackers need no credentials. They send a crafted serialized Java object in the jato.clientSession HTTP parameter to endpoints like password reset pages. This triggers unsafe deserialization, letting them run arbitrary commands on the server.
This vulnerability slips past the fix for CVE-2021-35464. That CVE targeted the jato.pageSession parameter. Developers added a WhitelistObjectInputStream there, limiting deserialization to about 40 safe classes. But they overlooked jato.clientSession, handled by ClientSession.deserializeAttributes(). It still calls the unfiltered Encoder.deserialize() chain, straight to ObjectInputStream.readObject() with no restrictions.
Any unauthenticated user hits this. Target JATO ViewBean endpoints with <jato:useViewBean> tags in their JSPs. Examples include password reset flows. The request context grabs the raw jato.clientSession value. During JSP rendering, it deserializes: getClientSession() → hasAttributes() → deserializeAttributes(). Boom—server executes attacker code.
Vulnerability Mechanics
Core issue sits in com/iplanet/jato/ClientSession.java. The constructor pulls the parameter directly:
protected ClientSession(RequestContext context) {
this.encodedSessionString = context.getRequest().getParameter("jato.clientSession");
}
Deserialization kicks in here:
protected void deserializeAttributes() {
if (this.encodedSessionString != null && this.encodedSessionString.trim().length() > 0) {
this.setAttributes(
(Map) Encoder.deserialize(
Encoder.decodeHttp64(this.encodedSessionString),
false
)
);
}
}
No whitelist. Attackers craft payloads using gadgets from OpenAM’s own JARs—no external libraries needed.
Exploit Gadget Chain
The chain starts with JDK’s PriorityQueue.readObject(). It calls heapify() → siftDown() → comparator.compare(). This hits OpenAM’s Column$ColumnComparator.compare() in openam-core-16.0.5.jar. From there: Column.getProperty() → PropertyUtils.getObjectPropertyValue() → Method.invoke(TemplatesImpl, "getOutputProperties").
TemplatesImpl from xalan-2.7.3.jar does the heavy lifting: getOutputProperties() → newTransformer() → defineTransletClasses() → loads attacker bytecodes via TransletClassLoader.defineClass(). Final step: EvilTranslet constructor runs Runtime.getRuntime().exec(cmd). Full RCE, using bundled classes only.
Tested on 16.0.5; earlier versions likely vulnerable too, given unchanged JATO framework code. OpenIdentityPlatform is the community fork of ForgeRock’s discontinued OpenAM. Many enterprises still run it for SSO, federation, and identity management—often internet-facing.
Why This Matters and What to Do
Compromised OpenAM means attackers control authentication for your entire stack. They impersonate admins, dump user data, pivot to internal systems. A single exposed instance hands over session tokens, API keys, and more. Shodan shows thousands of OpenAM servers online; version scanning confirms 16.x deployments.
No CVE yet, but patch immediately. Upgrade to a fixed OpenAM release if available—check OpenIdentityPlatform repos for updates. As interim: block jato.clientSession at web proxies or firewalls for unauth paths. Audit JSPs for <jato:useViewBean>. Run network scans; isolate exposed auth servers behind reverse proxies with WAF rules filtering base64 blobs in that param.
Skeptical note: Whitelisting one param while ignoring another screams incomplete audit. JATO’s legacy deserialization haunts old Java apps—time to rip it out or migrate to modern IDPs like Keycloak. If you’re on OpenAM, assume breach until patched. This isn’t theoretical; gadget chains work out-of-box.
