Security Advisory WSO2-2021-1574¶
Published: February 14, 2022
Version: 1.0.0
Severity: Medium
CVSS Score: 5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
AFFECTED PRODUCTS¶
- WSO2 API Manager : 2.2.0 , 2.5.0 , 2.6.0 , 3.0.0 , 3.1.0 , 3.2.0 , 4.0.0
- WSO2 API Microgateway : 2.2.0
- WSO2 IS as Key Manager : 5.10.0
OVERVIEW¶
Potential sensitive information disclosure via log files when JMS connection failure occurs.
DESCRIPTION¶
When special characters are contained in JMS connection credentials, JMS connection string (including credentials) are logged to "wso2carbon" log during JMS connection failures.
IMPACT¶
In order to leverage this vulnerability, a malicious actor should have the privileges to access the "wso2carbon" log files. If such access is obtained, a malicious actor could obtain the JMS connection credentials from log files, given the following conditions:
- JMS connection credentials must contain special characters.
- There were JMS connection failures that resulted in persisting the connection string (with credentials) to the log file.
SOLUTION¶
If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes.
Otherwise, you may apply the relevant fixes to the product based on the public fix(s):
Info
If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.