Security Advisory WSO2-2019-0653¶
Published: December 02, 2019
Severity: High
CVSS Score: 8.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
AFFECTED PRODUCTS¶
- WSO2 API Manager
- WSO2 API Manager Analytics
- WSO2 Enterprise Integrator
- WSO2 IS as Key Manager
- WSO2 Identity Server
- WSO2 Identity Server Analytics
OVERVIEW¶
A potential improper authorization vulnerability has been identified with TenantMgtService.
DESCRIPTION¶
TenantMgtService allows an unauthorized user to register tenants.
IMPACT¶
Successful exploitation of this vulnerability would lead to a wide range of attacks, including sensitive information exposure, denial of service and phishing attacks.
However, the impact is significantly reduced if WSO2's recommendation of blocking '/services' path, as mentioned in our Security Guidelines for Production Deployment, has been already applied. In that case, it would not be possible for outside attackers to access TenantMgtService and exploit this vulnerability.
SOLUTION¶
For latest versions of affected products¶
Apply the following patches based on your product version by following the instructions in the README file. If you have any questions, post them to security@wso2.com.
Download the relevant patches based on the products you use following the matrix below. Patches can also be downloaded from Security Patch Releases.
| Code | Product | Version | Patch |
|---|---|---|---|
| APIM | WSO2 API Manager | 2.6.0 | WSO2-CARBON-PATCH-4.4.0-5263 |
| EI | WSO2 Enterprise Integrator | 6.5.0 | WSO2-CARBON-PATCH-4.4.0-5253 |
| IS KM | WSO2 IS as Key Manager | 5.7.0 | WSO2-CARBON-PATCH-4.4.0-5263 |
| IS | WSO2 Identity Server | 5.8.0 | WSO2-CARBON-PATCH-4.4.0-5253 |
Info
If you are a WSO2 customer with a support subscription, use WSO2 Update Manager (WUM) updates in order to apply the fix. This patch is intended for WSO2 community (free) users.
For other products¶
Upgrade the products to the latest released version, which is not affected by this vulnerability.
In addition to the above-mentioned solution, we strongly recommend you to follow the below actions in order to ensure the security of your production environment:
-
Check whether there are any suspicious tenants created. If so, take the necessary steps to deactivate them. You can check the tenants in the system and deactivate rogue ones by accessing the Management Console of the product (usually at https://:/carbon) and navigating to '
Home>Configure>Multitenancy>View Tenants'.If that check reveals rogue tenants in the system, then make sure to remove the folders created in the filesystem under those tenant names, inside WSO2 product distribution's location. Do that in all the WSO2 nodes of the deployment. That is to make sure any deployment artifact created by those tenants will be permanently removed. If the check does not reveal any suspicious tenants in the system, that means this vulnerability is not exploited in your deployment.
-
Stop using TenantMgtService for tenant registration and use TenantMgtAdminService instead, since it is the most suitable for tenant management related functionality.
- Make sure WSO2's Security Guidelines for Production Deployment are followed in order to harden your production deployment, if you have not done that already.
Note
If you are using newer versions of the products than the ones mentioned in the SOLUTION section, this vulnerability is fixed.