Security Advisory WSO2-2019-0653

Published: December 02, 2019

Severity: High

CVSS Score: 8.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)


  • WSO2 API Manager
  • WSO2 API Manager Analytics
  • WSO2 Enterprise Integrator
  • WSO2 IS as Key Manager
  • WSO2 Identity Server
  • WSO2 Identity Server Analytics


A potential improper authorization vulnerability has been identified with TenantMgtService.


TenantMgtService allows an unauthorized user to register tenants.


Successful exploitation of this vulnerability would lead to a wide range of attacks, including sensitive information exposure, denial of service and phishing attacks.

However, the impact is significantly reduced if WSO2's recommendation of blocking '/services' path, as mentioned in our Security Guidelines for Production Deployment, has been already applied. In that case, it would not be possible for outside attackers to access TenantMgtService and exploit this vulnerability.


For latest versions of affected products

Apply the following patches based on your product version by following the instructions in the README file. If you have any questions, post them to

Download the relevant patches based on the products you use following the matrix below. Patches can also be downloaded from Security Patch Releases.

Code Product Version Patch
APIM WSO2 API Manager 2.6.0 WSO2-CARBON-PATCH-4.4.0-5263
EI WSO2 Enterprise Integrator 6.5.0 WSO2-CARBON-PATCH-4.4.0-5253
IS KM WSO2 IS as Key Manager 5.7.0 WSO2-CARBON-PATCH-4.4.0-5263
IS WSO2 Identity Server 5.8.0 WSO2-CARBON-PATCH-4.4.0-5253


If you are a WSO2 customer with a support subscription, use WSO2 Update Manager (WUM) updates in order to apply the fix. This patch is intended for WSO2 community (free) users.

For other products

Upgrade the products to the latest released version, which is not affected by this vulnerability.

In addition to the above-mentioned solution, we strongly recommend you to follow the below actions in order to ensure the security of your production environment:

  1. Check whether there are any suspicious tenants created. If so, take the necessary steps to deactivate them. You can check the tenants in the system and deactivate rogue ones by accessing the Management Console of the product (usually at https://:/carbon) and navigating to 'Home > Configure > Multitenancy > View Tenants'.

    If that check reveals rogue tenants in the system, then make sure to remove the folders created in the filesystem under those tenant names, inside WSO2 product distribution's location. Do that in all the WSO2 nodes of the deployment. That is to make sure any deployment artifact created by those tenants will be permanently removed. If the check does not reveal any suspicious tenants in the system, that means this vulnerability is not exploited in your deployment.

  2. Stop using TenantMgtService for tenant registration and use TenantMgtAdminService instead, since it is the most suitable for tenant management related functionality.

  3. Make sure WSO2's Security Guidelines for Production Deployment are followed in order to harden your production deployment, if you have not done that already.


If you are using newer versions of the products than the ones mentioned in the SOLUTION section, this vulnerability is fixed.