

Security Advisory WSO2-2020-0747

Published: August 17, 2020

Version: 2.0.0

Severity: {{severity}}

CVSS Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

---

AFFECTED PRODUCTS

• WSO2 API Manager : 3.1.0 or earlier
• WSO2 API Manager Analytics : 2.5.0, 2.2.0
• WSO2 API Microgateway : 2.2.0
• WSO2 Data Analytics Server : 3.2.0
• WSO2 Enterprise Integrator : 6.6.0 or ealier
• WSO2 IS as Key Manager : 5.10.0 or ealier
• WSO2 Identity Server : 5.10.0 or earlier
• WSO2 Identity Server Analytics : 5.6.0 or earlier
• WSO2 IoT Server : 3.3.1, 3.3.0

OVERVIEW

Improper access control in web service Try It functionality.

DESCRIPTION

Web service Try It functionality in some product versions allows unauthenticated access via HTTP Servlet (default port: 9443) and/or PassThrough (default port: 8243) transports.

Some products contain UIs inside Carbon Management Console for the Try It functionality (e.g. WSO2 Enterprise Integrator), and in other products (e.g. WSO2 Identity Server) it could be achieved by directly calling a specific JSP file that is packed with the Carbon Kernel.

IMPACT

If the Try It functionality related URLs are accessible to unauthorized parties, by using this vulnerability it is possible to send requests to SOAP services running in other network nodes that are usually denied to those parties, and view the response if those services allow unauthenticated access. In addition to that, it would be possible to do a port scan to identify the open ports in the deployment.

The risk from this vulnerability would be reduced if the network access to Carbon Management Console nodes are blocked to the unwarranted parties as per WSO2's security recommendations for the production deployments.

SOLUTION

If you are using an affected product version, it is highly recommended to migrate to the latest released version to receive security fixes.

Otherwise, you may apply the relevant fixes to the product based on the public fix(s):

• https://github.com/wso2/carbon-kernel/pull/2690
• https://github.com/wso2/carbon-commons/pull/417
• https://github.com/wso2/carbon-commons/pull/418

As recommended in WSO2 Production Security Guideline, add following property in carbon.properties file which is located at <PRODUCT_HOME>/conf to disable try-it option in management console.

tryItFunctionalityDisabled=true

Info

If you are a WSO2 customer with a support subscription, use WSO2 Update Manager(WUM) updates in order to apply the fix to the affected versions.

CHANGE LOG

• 2020-09-24: API Manager 3.2.0 added to the affected product list.