From 7e3a75903159153c877daeb2952a552701e38044 Mon Sep 17 00:00:00 2001
From: Valery Kharseko <vharseko@3a-systems.ru>
Date: Thu, 11 Jun 2026 08:34:19 +0000
Subject: [PATCH] CVE-2026-46495 OpenDJ Unauthenticated RCE via Java Deserialization in JMX RMI

---
 opendj-server-legacy/src/main/java/org/opends/server/protocols/jmx/RmiAuthenticator.java |   19 ++++++++++++++++---
 1 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/opendj-server-legacy/src/main/java/org/opends/server/protocols/jmx/RmiAuthenticator.java b/opendj-server-legacy/src/main/java/org/opends/server/protocols/jmx/RmiAuthenticator.java
index 9377b25..dfc2432 100644
--- a/opendj-server-legacy/src/main/java/org/opends/server/protocols/jmx/RmiAuthenticator.java
+++ b/opendj-server-legacy/src/main/java/org/opends/server/protocols/jmx/RmiAuthenticator.java
@@ -13,6 +13,7 @@
  *
  * Copyright 2006-2010 Sun Microsystems, Inc.
  * Portions Copyright 2014-2016 ForgeRock AS.
+ * Portions Copyright 2026 3A Systems, LLC.
  */
 package org.opends.server.protocols.jmx;
 
@@ -102,9 +103,21 @@
     {
       throw new SecurityException();
     }
-    Object c[] = (Object[]) credentials;
-    String authcID = (String) c[0];
-    String password = (String) c[1];
+    if (!(credentials instanceof String[]))
+    {
+      logger.trace("Invalid JMX credentials type");
+      throw new SecurityException();
+    }
+
+    String[] c = (String[]) credentials;
+    if (c.length != 2)
+    {
+      logger.trace("Invalid JMX credentials length");
+      throw new SecurityException();
+    }
+
+    String authcID = c[0];
+    String password = c[1];
 
     // The authcID is used at forwarder level to identify the calling client
     if (authcID == null)

--
Gitblit v1.10.0