CVE-2026-33439 Pre-Authentication Remote Code Execution via jato.clientSession Deserialization in OpenAM

Author: maximthomas

jato-shaded/pom.xml

@@ -13,7 +13,7 @@
  * information: "Portions copyright [year] [name of copyright owner]".
  *
  * Copyright 2011-2016 ForgeRock AS.
- * Portions Copyrighted 2025 3A Systems LLC.
+ * Portions Copyrighted 2025-2026 3A Systems LLC.
 -->
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
     <modelVersion>4.0.0</modelVersion>
@@ -40,6 +40,11 @@
             <artifactId>jato</artifactId>
             <version>2005-05-04</version>
         </dependency>
+        <dependency>
+            <groupId>org.openidentityplatform.openam</groupId>
+            <artifactId>openam-shared</artifactId>
+            <scope>provided</scope>
+        </dependency>
     </dependencies>
     <build>
         <plugins>
@@ -55,6 +60,7 @@
                         </goals>
                         <configuration>
                             <outputDirectory>${project.build.directory}/classes</outputDirectory>
+                            <excludeScope>provided</excludeScope>
                         </configuration>
                     </execution>
                 </executions>

jato-shaded/src/main/java/com/iplanet/jato/util/Encoder.java

@@ -1,20 +1,38 @@
+/*
+ * The contents of this file are subject to the terms of the Common Development and
+ * Distribution License (the License). You may not use this file except in compliance with the
+ * License.
+ *
+ * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ * specific language governing permission and limitations under the License.
+ *
+ * When distributing Covered Software, include this CDDL Header Notice in each file and include
+ * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ * Header, with the fields enclosed by brackets [] replaced by your own identifying
+ * information: "Portions copyright [year] [name of copyright owner]".
+ *
+ * Copyright 2023-2026 3A Systems LLC.
+ */
+
 package com.iplanet.jato.util;
 
-import java.io.ByteArrayInputStream;
+import com.sun.identity.shared.debug.Debug;
+import org.forgerock.openam.utils.IOUtils;
+
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
-import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
 import java.io.Serializable;
 import java.util.Base64;
+import java.util.stream.Collectors;
 import java.util.zip.DataFormatException;
 import java.util.zip.Deflater;
 import java.util.zip.DeflaterOutputStream;
 import java.util.zip.Inflater;
-import java.util.zip.InflaterInputStream;
 
 public class Encoder {
 
+    private final static Debug debug = Debug.getInstance("amConsole");
     private Encoder() {
     }
 
@@ -115,18 +133,17 @@ public static byte[] serialize(Serializable o, boolean compress) throws IOExcept
     }
 
     public static Object deserialize(byte[] b, boolean compressed) throws IOException, ClassNotFoundException {
-        ByteArrayInputStream bais = new ByteArrayInputStream(b);
-        InflaterInputStream iis = null;
-        ObjectInputStream ois = null;
-        if (compressed) {
-            iis = new InflaterInputStream(bais);
-            ois = new ApplicationObjectInputStream(iis);
-        } else {
-            ois = new ApplicationObjectInputStream(bais);
+        if(debug.messageEnabled()) {
+            String trace = StackWalker.getInstance()
+                .walk(frames -> frames
+                        .skip(1).limit(3)
+                        .map(f -> String.format("%s.%s(%s:%d)",
+                                f.getClassName(), f.getMethodName(),
+                                f.getFileName(), f.getLineNumber()))
+                        .collect(Collectors.joining("; ")));
+            debug.message("Encoder:deserialize callers trace: " + trace);
         }
-
-        Object result = ois.readObject();
-        return result;
+        return IOUtils.deserialise(b, compressed);
     }
 }