Security Advisory WSO2-2020-0731

Published: September 08, 2020

Version: 2.0.0

Severity: High

CVSS Score: 8.7 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H)


AFFECTED PRODUCTS

  • WSO2 API Manager : 3.2.0 or earlier
  • WSO2 API Manager Analytics : 2.5.0, 2.2.0
  • WSO2 Enterprise Integrator : 6.6.0 or earlier
  • WSO2 Governance Registry : 5.4.0
  • WSO2 IS as Key Manager : 5.10.0 or ealier
  • WSO2 Identity Server : 5.10.0 or earlier
  • WSO2 Identity Server Analytics : 5.6.0 or earlier

OVERVIEW

A potential XXE and XSS have been identified in the Feature Management section of the Management Console.

DESCRIPTION

A potential XML Entity processing vulnerability was identified in the Feature Management section of the Management console, which can be used to extract sensitive information and cause denial of service. In addition, a potential Cross Site Scripting (XSS) vulnerability was identified in the same feature.

IMPACT

A malicious actor who has authenticated access to the Management Console, may use maliciously crafted feature repositories to exploit the XXE vulnerability and read confidential files from the file system or access HTTP resources that are reachable to the vulnerable product. The same vulnerability could be used in performing denial of service attack.

If a feature repository uses unencrypted channels (HTTP without SSL/TLS), a malicious actor may use Man-inthe-Middle techniques, without having to authenticate to the management console to inject such malicious payloads.

In combination with the XXE a malicious actor may exploit the XSS issue to perform a phishing attack on another administrator. This can only be exploited when another administrator performs Feature Management related operations.

If security guidelines for production deployment provided by WSO2 are followed and access to Management Console is properly restricted, the impact of this issue is greatly reduced.

SOLUTION

If you are using an affected product version, it is highly recommended to migrate to the latest released version to receive security fixes.

Otherwise, you may apply the relevant fixes to the product based on the public fix(s):

Info

If you are a WSO2 customer with a support subscription, use WSO2 Update Manager(WUM) updates in order to apply the fix to the affected versions.

CREDITS

WSO2 thanks, Matei "Mal" Badanoiu (Deloitte) for responsibly reporting the identified issue and working with us as we addressed it.

CHANGE LOG

  • 2020-09-24: API Manager 3.2.0 added to the affected product list.