Security Advisory WSO2-2021-1259

Published: January 19, 2022

Version: 1.0.0

Severity: Medium

CVSS Score: 6.4 (CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H)


AFFECTED PRODUCTS

  • WSO2 API Manager : 2.2.0 , 2.5.0 , 2.6.0 , 3.0.0 , 3.1.0 , 3.2.0 , 4.0.0
  • WSO2 API Manager Analytics : 2.2.0 , 2.5.0 , 2.6.0
  • WSO2 API Microgateway : 2.2.0
  • WSO2 Data Analytics Server : 3.2.0
  • WSO2 Enterprise Integrator : 6.1.0 , 6.2.0 , 6.3.0 , 6.4.0 , 6.5.0 , 6.6.0
  • WSO2 IS as Key Manager : 5.5.0 , 5.6.0 , 5.7.0 , 5.9.0 , 5.10.0
  • WSO2 Identity Server : 5.4.0 , 5.4.1 , 5.5.0 , 5.6.0 , 5.7.0 , 5.8.0 , 5.9.0 , 5.10.0 , 5.11.0
  • WSO2 Identity Server Analytics : 5.4.0 , 5.4.1 , 5.5.0 , 5.6.0
  • WSO2 Micro Integrator : 1.0.0 , 1.1.0 , 1.2.0 , 4.0.0
  • WSO2 IoT Server: 3.3.1

OVERVIEW

A Remote Code Execution vulnerability in the Management Console.

DESCRIPTION

Due to the improper input validation, a remote code execution attack could be carried out using certain admin operations which require an admin user to configure a "JDBC Connection String".

IMPACT

In order to exploit this vulnerability, the malicious actor should have a valid user account which has administrative access to the Management Console and should be able to reach it (WSO2 Security Guidelines for Production Deployment 1 recommends not to publicly expose the Management Console). If such access could be obtained, a malicious actor could execute arbitrary code on the server running the H2 database engine. Execution will occur with the permissions assigned to the user running the H2 database engine. In the case of the H2 database instance embedded in WSO2 products, this is the user running the WSO2 product.

SOLUTION

If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes.

Otherwise, you may apply the relevant fixes to the product based on the public fix(s):

Info

If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.

CREDITS

WSO2 thanks, Matei Mal Badanoiu for responsibly reporting the identified issue and working with us as we addressed it.

REFERENCES