

Security Advisory WSO2-2021-1482

Published: February 14, 2022

Version: 1.0.0

Severity: High

CVSS Score: 7.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L)

---

AFFECTED PRODUCTS

• WSO2 API Manager : 2.2.0 , 2.5.0 , 2.6.0 , 3.0.0 , 3.2.0 , 4.0.0
• WSO2 API Microgateway : 2.2.0
• WSO2 IS as Key Manager : 5.5.0 , 5.6.0 , 5.7.0 , 5.9.0 , 5.10.0
• WSO2 IoT Server : 3.3.1

OVERVIEW

Potential user impersonation when using JWT bearer grant type with identity federation.

DESCRIPTION

When JWT bearer grant type is used with identity federation, a malicious actor may use or create an account in the federated IDP with the same username as a targeted local user in order to impersonate the local user and gain privileges the local user has.

IMPACT

To leverage this vulnerability, the malicious actor must have a user account in the configured federated IDP with the same username as the targeted local user. If such access is obtained, the malicious actor could generate x-jwt-assertion with the details of the targeted local user. This may result in user impersonation, if backend services rely on details provided in the x-jwt-assertion for authentication or authorization.

SOLUTION

If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes.

Otherwise, you may apply the relevant fixes to the product based on the public fix(s):

• https://github.com/wso2/carbon-apimgt/pull/10836

Please make sure those are followed properly. There may be some requirements to pass the federated user claims to the backend in production. Therefore, after adding the fix, the existing behavior will be executed to avoid the break in current use cases. If your deployment does not have such a requirement follow the below given instructions.

For 3.0 and upper versions, add the following configurations into the <APIM_HOME>repository/conf/deployment.toml file to enable the fix.

[apim.jwt]
binding_federated_user_claims=false

For 2.x versions, add the following configurations in the <JWTConfiguration> section on <APIM_HOME>repository/conf/api-manager.xml file to enable the fix.

<EnableBindingFederatedUserClaims>false</EnableBindingFederatedUserClaims>

Info

If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.

CREDITS

WSO2 thanks, Bruno Monteiro for responsibly reporting the identified issue and working with us as we addressed it.