QID 150623

ForgeRock AM server provides a service called access management, which manages access to resources, such as a web page, an application, or web service, available over the network.

ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier.

Affected Versions:
ForegeRock Access Management version 5.x
ForgeRock Access Management versions 6.0.0.x, 6.5.0.x, 6.5.1, 6.5.2.x and 6.5.3
OpenAM versions 9.x, 10.x, 11.x, 12.x and 13.x

QID Detection Logic (Unauthenticated):
This QID sends specially crafted HTTP GET/POST request with command injection payloads where vulnerable servers will execute system commands or make a DNS query that will trigger Qualys Periscope detection mechanism

Successful exploitation of this vulnerability may allow an unauthenticated remote attacker to execute arbitrary code on the target system.