

Security Advisory WSO2-2021-1574

Published: February 14, 2022

Version: 1.0.0

Severity: Medium

CVSS Score: 5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

---

AFFECTED PRODUCTS

• WSO2 API Manager : 2.2.0 , 2.5.0 , 2.6.0 , 3.0.0 , 3.1.0 , 3.2.0 , 4.0.0
• WSO2 API Microgateway : 2.2.0
• WSO2 IS as Key Manager : 5.10.0

OVERVIEW

Potential sensitive information disclosure via log files when JMS connection failure occurs.

DESCRIPTION

When special characters are contained in JMS connection credentials, JMS connection string (including credentials) are logged to "wso2carbon" log during JMS connection failures.

IMPACT

In order to leverage this vulnerability, a malicious actor should have the privileges to access the "wso2carbon" log files. If such access is obtained, a malicious actor could obtain the JMS connection credentials from log files, given the following conditions:

• JMS connection credentials must contain special characters.
• There were JMS connection failures that resulted in persisting the connection string (with credentials) to the log file.

SOLUTION

If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes.

Otherwise, you may apply the relevant fixes to the product based on the public fix(s):

• https://github.com/wso2/carbon-apimgt/pull/10787

Info

If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.