CVE-2022-29464

WSO2 Products impacted: no

Customers actions required: no


REPORTED VULNERABILITY

The CVE-2022-29464 vulnerability was reported as affecting certain WSO2 components. However, the initial CVE publication1 does not contain accurate Product Status information, and external advisories, such as the one on NVD2, incorrectly identify vulnerable components.

WSO2 JUSTIFICATION

The vulnerability mentioned in CVE-2022-29464 has been addressed and fixed in the respective versions as per the advisory published at WSO2-2021-17383. The affected components and their corresponding fixed versions are listed below:

Affected Components and Fixed Versions:

1. WSO2 Carbon UI (org.wso2.carbon:org.wso2.carbon.ui)

Unaffected ranges are,

version (start range) <= version (range) Version Type
4.4.7.4 4.4.7.* Commercial
4.4.9.8 4.4.9.* Commercial
4.4.11.7 4.4.11.* Commercial
4.4.20.6 4.4.20.* Commercial
4.4.22.7 4.4.22.* Commercial
4.4.26.10 4.4.26.* Commercial
4.4.32.9 4.4.32.* Commercial
4.4.35.25 4.4.35.* Commercial
4.4.36.6 4.4.36.* Commercial
4.4.40.14 4.4.40.* Commercial
4.5.1.16 4.5.1.* Commercial
4.5.3.17 4.5.3.* Commercial
4.6.0.77 4.6.0.* Commercial
4.6.1.35 4.6.1.* Commercial
4.6.2.42 4.6.2.* Commercial
4.7.0 * Community45

2. WSO2 Carbon Core Services (org.wso2.carbon:org.wso2.carbon.core.services)

Unaffected ranges are,

version (start range) <= version (range) Version Type
4.4.7.4 4.4.7.* Commercial
4.4.9.8 4.4.9.* Commercial
4.4.11.7 4.4.11.* Commercial
4.4.20.6 4.4.20.* Commercial
4.4.22.7 4.4.22.* Commercial
4.4.26.10 4.4.26.* Commercial
4.4.32.9 4.4.32.* Commercial
4.4.35.25 4.4.35.* Commercial
4.4.36.6 4.4.36.* Commercial
4.4.40.14 4.4.40.* Commercial
4.5.1.16 4.5.1.* Commercial
4.5.3.17 4.5.3.* Commercial
4.6.0.77 4.6.0.* Commercial
4.6.1.35 4.6.1.* Commercial
4.6.2.42 4.6.2.* Commercial
4.7.0 * Community45

Incorrect External Advisory Information

  1. Incorrect Component Identification:
  2. The information published on external sites like Snyk6 incorrectly lists org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service as affected, which is incorrect.

  3. Incomplete Version Information:

  4. External advisories, such as NVD, list only the public version (4.7.0) as the patched version for org.wso2.carbon:org.wso2.carbon.ui and org.wso2.carbon:org.wso2.carbon.core.services. The correct fixed versions include both community and commercial versions, as listed above.

Given these points, the CVE information published on external platforms does not accurately reflect the affected components or the versions that have been patched.

CONCLUSION

Due to the following key points:

  • The incorrect listing of org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service as a vulnerable component.
  • The omission of commercial patch versions in external advisories.
  • The correct identification of affected and fixed versions has not been provided in the original CVE publication 1.

WSO2 concludes that this is not an exploitable vulnerability in WSO2 products if the product versions or the component versions are within the fixed version range, and the vulnerability has already been mitigated as per WSO2-2021-17383.

REFERENCES


  1. https://www.cve.org/CVERecord?id=CVE-2022-29464 

  2. https://nvd.nist.gov/vuln/detail/CVE-2022-29464 

  3. https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1738/ 

  4. https://github.com/wso2/carbon-kernel/pull/3152 

  5. https://github.com/wso2/carbon-identity-framework/pull/3864 

  6. https://security.snyk.io/package/maven/org.wso2.carbon.identity.auth.rest:org.wso2.carbon.identity.auth.service