Security Advisory WSO2-2021-1357

Published: September 02, 2021

Version: 1.0.0

Severity: Medium

CVSS Score: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

AFFECTED PRODUCTS

  • WSO2 API Manager : 2.2.0 , 2.5.0 , 2.6.0
  • WSO2 IoT Server : 3.3.1

OVERVIEW

Lack of Server-Side input validation in API Store.

DESCRIPTION

Due to lack of server-side input validation in the Forum feature, API rating could be manipulated.

IMPACT

A malicious actor could use this vulnerability to influence the ranking of APIs by increasing its rating. This can negatively impact when API rating is used for sorting.

SOLUTION

If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes.

Otherwise, you may apply the relevant fixes to the product based on the public fix(s):

The rating related information is stored in the REG_RATING table and REG_RESOURCE_RATING table of the registry database. In order to identify if this vulnerability has been used by a malicious actor in your deployment, query for database entries where the reg_resource path starts with /_system/governance/forumtopics/common and the rating is greater than 5.

You may use the following database query to perform this check:

SELECT RT.REG_RATING_ID, RA.REG_RATING, P.REG_PATH_VALUE FROM REG_RESOURCE_RATING RT, REG_RESOURCE R, REG_RATING RA, REG_PATH P WHERE (R. REG_VERSION=RT.REG_VERSION OR (R.REG_PATH_ID=RT.REG_PATH_ID AND R.REG_NAME=RT. REG_RESOURCE_NAME)) AND RA.REG_ID = RT.REG_RATING_ID AND RA.REG_RATING > 5 AND R. REG_PATH_ID=P.REG_PATH_ID AND P.REG_PATH_VALUE like '/_system/governance/forumtopics /common%';

If the aforementioned query does not return any records it is not required to take any corrective actions. If any records were found, extract the REG_RATING_ID(s) returned from the above query, and then reset REG_RATING to a value within the valid range of 0 to 5. You may use the following query to perform such update:

UPDATE REG_RATING SET REG_RATING = 5 WHERE REG_ID=;

Querying for ratings is described in 1.

Info

If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.

REFERENCES

  1. Executing a Query#Queryingforratings