OpenDJ Pre-Auth RCE via Java Deserialization in JMX RMI
Description
Summary
Description
A Deserialization of Untrusted Data (CWE-502) issue in OpenDJ's JMX RMI connector allows an unauthenticated remote attacker to deserialize arbitrary Java objects on the server. The vulnerability exists because the platform reads and processes attacker-controlled bytes prior to authentication. This affects OpenDJ Community Edition through 5.1.0. This has been patched in version 5.1.1.
Impact
This impacts all current OpenDJ releases where the JMX Connection Handler is enabled. While disabled by default, it is frequently enabled in practice for monitoring integrations. Exploitation requires TCP reachability to the configured listener and does not require authentication, prior privileges, or client certificates. Successful exploitation results in unauthenticated Remote Code Execution (RCE), with the severity depending on the runtime classpath and Java version. Unauthenticated RCE was demonstrated on the OpenDJ 4.4.15 (JDK 11 + Jackson 2.12.6.1).
Patch
This has been patched in OpenDJ Community Edition version 5.1.1. Users are encouraged to update to the latest release.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.openidentityplatform.opendj:opendj-server-legacyMaven | < 5.1.1 | 5.1.1 |
Affected products
1- Range: <=5.1.0
Patches
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2News mentions
0No linked articles in our index yet.