

Security Advisory WSO2-2019-0673

Published: July 01, 2020

Version: 1.0.0

Severity: Medium

CVSS Score: 4.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N)

---

AFFECTED PRODUCTS

• WSO2 API Manager : 3.0.0 or earlier
• WSO2 API Manager Analytics : 2.5.0 or earlier
• WSO2 API Microgateway : 2.2.0
• WSO2 Data Analytics Server : 3.2.0
• WSO2 Enterprise Integrator : 6.6.0 or earlier
• WSO2 Identity Server : 5.9.0 or earlier
• WSO2 IS as Key Manager : 5.9.0 or earlier
• WSO2 Identity Server Analytics : 5.6.0 or earlier

OVERVIEW

Server Side Request Forgery (SSRF) vulnerability in Management Console usable in time-based analysis.

DESCRIPTION

It was identified that the intended behaviour of a deprecated feature available in the Management Console of WSO2 products could also be used to perform a Server Side Request Forgery (SSRF) which does not expose any sensitive information or response data other than being able to map internal network based on response times.

IMPACT

As per WSO2's security guidelines for production deployments, it is highly advised to restrict Management Console access to internal trusted networks. If access is available to the UI (/carbon) or the admin services (/services) of the Management Console, this vulnerability can be used by an authenticated administrator to perform a time-based identification of other open ports or available services within the deployment. Any information regarding the response data, including the success or failure of the server side request, is not exposed. However, if there are other services in the deployment that allow unauthenticated state changing operations via HTTP GET requests, those operations could be invoked by using this vulnerability.

SOLUTION

This vulnerability was identified in an already deprecated feature that is not used in regular operations of the product. The latest versions of WSO2 products have completely removed the affected feature. If you are using an affected product version, it is highly recommended to migrate to the latest released version to receive security fixes.

Otherwise, you may apply the relevant fixes to the product based on the public fix(s):

• https://github.com/wso2/carbon-registry/pull/335
• https://github.com/wso2/carbon-registry/pull/349

CREDITS

WSO2 thanks, Paweł Hałdrzyński (Limpid Security) for responsibly reporting the identified issue and working with us as we addressed it.