

Security Advisory WSO2-2021-1497

Published: December 03, 2021

Version: 1.0.0

Severity: High

CVSS Score: 8.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L)

---

AFFECTED PRODUCTS

• WSO2 API Manager : 3.2.0 , 4.0.0

OVERVIEW

When invoking an API protected with API Key, signature of the cached API Key is not validated.

DESCRIPTION

In order to access the API resources, consumers need to provide an OAuth2 token, or an API Key. When the API Key (which is based on JWT) is used to consume API resources, the API Gateway fails to verify the JWT signature of the cached API Key.

IMPACT

By leveraging this vulnerability, a malicious actor can access the API resources using tampered API Key with an invalid signature. However, CIA impact is dependent on the deployed APIs' use cases.

SOLUTION

If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes.

Otherwise, you may apply the relevant fixes to the product based on the public fix(s):

• https://github.com/wso2/carbon-apimgt/pull/10857

Info

If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.