Security Advisory WSO2-2020-0755

Published: August 17, 2020

Version: 2.0.0

Severity: High

CVSS Score: 8.1 (CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N)

AFFECTED PRODUCTS

  • WSO2 API Manager : 3.2.0 or earlier
  • WSO2 API Microgateway : 2.2.0
  • WSO2 IS as Key Manager : 5.10.0 or earlier
  • WSO2 Identity Server : 5.10.0 or earlier

OVERVIEW

A potential sensitive information disclosure vulnerability has been identified in the RemoteUserRealmService SOAP service.

DESCRIPTION

The RemoteUserRealmService SOAP service allows fetching realm configs for users with Super Admin permissions. Service response includes credentials of the Super Admin user and primary user store connection that are specified in the user-mgt.xml.

IMPACT

The Super Admin specified in the user-mgt.xml is the highest privileged user in a WSO2 product. Only that user is able to assign/unassign the admin role to other users and delete a user who is having the admin role. By exploiting this vulnerability, another admin user (having the "Super Admin" permissions that are defined in the Management Console's Permission tree, but having less privileges than the Super Admin of usermgt.xml) can obtain credentials of that superior user if the Super Admin password in the user-mgt.xml is used without changing via the Management Console as recommended by WSO2's security guidelines for production deployments. The primary user store is a highly confidential asset of an organization. Ideally, access to it should be restricted via the network rules. If the attacker can reach the primary user store, there could be a confidentiality and integrity impact since he can authenticate using the credentials returned by the SOAP service.

SOLUTION

If you are using an affected product version, it is highly recommended to migrate to the latest released version to receive security fixes.

Otherwise, you may apply the relevant fixes to the product based on the public fix(s):

Info

If you are a WSO2 customer with a support subscription, use WSO2 Update Manager(WUM) updates in order to apply the fix to the affected versions.

CHANGE LOG

  • 2020-09-24: API Manager 3.2.0 added to the affected product list.