Security Advisory WSO2-2021-1738¶
Published: April 01, 2022
Updated: April 29, 2022
Version: 1.3.0
Severity: Critical
CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
AFFECTED PRODUCTS¶
- WSO2 API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, 4.0.0
- WSO2 Identity Server 5.2.0, 5.3.0, 5.4.0, 5.4.1, 5.5.0, 5.6.0, 5.7.0, 5.8.0, 5.9.0, 5.1.0, 5.11.0
- WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0
- WSO2 Identity Server as Key Manager 5.3.0, 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0
- WSO2 Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, 6.6.0
- WSO2 Open Banking AM 1.3.0, 1.4.0, 1.5.0, 2.0.0
- WSO2 Open Banking KM 1.3.0, 1.4.0, 1.5.0
- WSO2 Open Banking IAM 2.0.0
Warning
WSO2 proactively issues security patches for all the supported product versions listed under WSO2 Support Matrix ("available" and "deprecated" status). The vulnerability may affect older product versions that are in extended and discontinued statuses as well.
OVERVIEW¶
Unrestricted arbitrary file upload, and remote code to execution vulnerability.
DESCRIPTION¶
Due to improper validation of user input, a malicious actor could upload an arbitrary file to a user controlled location of the server. By leveraging the arbitrary file upload vulnerability, it is further possible to gain remote code execution on the server.
IMPACT¶
By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.
SOLUTION¶
WSO2 has provided temporary mitigations to the customers in January 2022 and delivered the fixes for all the supported product versions listed under the WSO2 Support Matrix ("available" and "deprecated" status) in February.
Info
If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.
WSO2 Subscription holders may refer to the below table. You should update your product to the specified update level or a higher update level to apply the fix.
| Product Name | Product Version | U2 Update Level | WUM Timestamp |
|---|---|---|---|
| WSO2 API Manager | 2.2.0 | 43 | 1642181410159 |
| WSO2 API Manager | 2.5.0 | 44 | 1642690416146 |
| WSO2 API Manager | 2.6.0 | 72 | 1642690636270 |
| WSO2 API Manager | 3.0.0 | 70 | 1642180160123 |
| WSO2 API Manager | 3.1.0 | 107 | 1643038989258 |
| WSO2 API Manager | 3.2.0 | 122 | 1643038989258 |
| WSO2 API Manager | 4.0.0 | 64 | N/A |
| WSO2 API Manager Analytics | 2.2.0 | 25 | 1642181410159 |
| WSO2 API Manager Analytics | 2.5.0 | 23 | 1642690416146 |
| WSO2 Identity Server | 5.2.0 | 22 | 1642180025435 |
| WSO2 Identity Server | 5.3.0 | 25 | 1642180025435 |
| WSO2 Identity Server | 5.4.0 | 21 | 1642180025435 |
| WSO2 Identity Server | 5.4.1 | 22 | 1642180082946 |
| WSO2 Identity Server | 5.5.0 | 34 | 1642181410159 |
| WSO2 Identity Server | 5.6.0 | 27 | 1642690416146 |
| WSO2 Identity Server | 5.7.0 | 48 | 1642690636270 |
| WSO2 Identity Server | 5.8.0 | 39 | 1642181241778 |
| WSO2 Identity Server | 5.9.0 | 55 | 1642601723766 |
| WSO2 Identity Server | 5.10.0 | 112 | 1643038989258 |
| WSO2 Identity Server | 5.11.0 | 103 | N/A |
| WSO2 Identity Server as Key Manager | 5.3.0 | 29 | 1642181410159 |
| WSO2 Identity Server as Key Manager | 5.5.0 | 34 | 1642181410159 |
| WSO2 Identity Server as Key Manager | 5.6.0 | 29 | 1642690416146 |
| WSO2 Identity Server as Key Manager | 5.7.0 | 55 | 1642690636270 |
| WSO2 Identity Server as Key Manager | 5.9.0 | 64 | 1642601723766 |
| WSO2 Identity Server as Key Manager | 5.10.0 | 115 | 1643038989258 |
| WSO2 Identity Server Analytics | 5.4.0 | 15 | 1642180082946 |
| WSO2 Identity Server Analytics | 5.4.1 | 16 | 1642180082946 |
| WSO2 Identity Server Analytics | 5.5.0 | 25 | 1642181410159 |
| WSO2 Identity Server Analytics | 5.6.0 | 23 | 1642690416146 |
| WSO2 Enterprise Integrator | 6.2.0 | 42 | 1642179902897 |
| WSO2 Enterprise Integrator | 6.3.0 | 37 | 1642599930405 |
| WSO2 Enterprise Integrator | 6.4.0 | 74 | 1642601723766 |
| WSO2 Enterprise Integrator | 6.5.0 | 55 | 1642599975104 |
| WSO2 Enterprise Integrator | 6.6.0 | 79 | 1642599885111 |
| WSO2 Open Banking AM | 1.3.0 | 76 | 1643038989258 |
| WSO2 Open Banking AM | 1.4.0 | 75 | 1643038989258 |
| WSO2 Open Banking AM | 1.5.0 | 75 | 1643038989258 |
| WSO2 Open Banking AM | 2.0.0 | 118 | 1643038989258 |
| WSO2 Open Banking KM | 1.3.0 | 60 | 1643038989258 |
| WSO2 Open Banking KM | 1.4.0 | 61 | 1643038989258 |
| WSO2 Open Banking KM | 1.5.0 | 58 | 1643038989258 |
| WSO2 Open Banking IAM | 2.0.0 | 126 | 1643038989258 |
If you are an open-source user or using a product version that is EOL (End of License) :
You may migrate to the latest version of the product if the latest version is not listed under the list of the affected products. Otherwise, you may apply the relevant fixes to the product based on the public fixes as given below:
If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes.
Otherwise, community users may apply the relevant fixes to the product based on the public fix(s):
- https://github.com/wso2/carbon-kernel/pull/3152
- https://github.com/wso2/carbon-identity-framework/pull/3864
Or else you may follow the mitigation steps given below.
GROUP 1¶
For below listed WSO2 product versions, it is recommand to append the following configuration lines to the <PRODUCT-HOME>/repository/conf/deployment.toml file and restart the server.
- WSO2 API Manager version 4.0.0, 3.2.0, 3.1.0 and 3.0.0
[[resource.access_control]]
context="(.*)/fileupload/resource(.*)"
secure=false
http_method = "all"
[[resource.access_control]]
context="(.*)/fileupload/(.*)"
secure=true
http_method = "all"
permissions = ["/permission/protected/"]
GROUP 2¶
For below listed WSO2 Identity Server and Identity Server As Key Manager product versions, it is recommend to append the following configuration lines to the <PRODUCT-HOME>/repository/conf/deployment.toml file and restart the server.
- WSO2 Identity Server 5.11.0, 5.10.0, 5.9.0
- WSO2 Identity Server as Key Manager 5.10.0, 5.9.0
[[resource.access_control]]
context="(.*)/fileupload/service(.*)"
secure=false
http_method = "all"
[[resource.access_control]]
context="(.*)/fileupload/entitlement-policy(.*)"
secure=false
http_method = "all"
[[resource.access_control]]
context="(.*)/fileupload/resource(.*)"
secure=false
http_method = "all"
[[resource.access_control]]
context="(.*)/fileupload/(.*)"
secure=true
http_method = "all"
permissions = ["/permission/protected/"]
GROUP 3¶
For below listed product versions, it is recommended to remove the following mappings in the <PRODUCT-HOME>/conf/carbon.xml file from the <FileUploadConfig> section.
- WSO2 Enterprise Integrator version 6.6.0, 6.5.0, 6.4.0, 6.3.0, 6.2.0 and older versions
For Business process / Broker and Analytics profiles apply the same change for carbon.xml file at the following locations respectively.
<PRODUCT-HOME>/wso2/broker/conf/carbon.xml<PRODUCT-HOME>/wso2/business-process/conf/carbon.xml<PRODUCT-HOME>/wso2/analytics/conf/carbon.xml
<Mapping>
<Actions>
<Action>keystore</Action>
<Action>certificate</Action>
<Action>*</Action>
</Actions>
<Class>org.wso2.carbon.ui.transports.fileupload.AnyFileUploadExecutor</Class>
</Mapping>
<Mapping>
<Actions>
<Action>jarZip</Action>
</Actions>
<Class>org.wso2.carbon.ui.transports.fileupload.JarZipUploadExecutor</Class>
</Mapping>
<Mapping>
<Actions>
<Action>tools</Action>
</Actions>
<Class>org.wso2.carbon.ui.transports.fileupload.ToolsFileUploadExecutor</Class>
</Mapping>
<Mapping>
<Actions>
<Action>toolsAny</Action>
</Actions>
<Class>org.wso2.carbon.ui.transports.fileupload.ToolsAnyFileUploadExecutor</Class>
</Mapping>
GROUP 4¶
For below listed product versions, it is recommended to remove all the mappings defined inside the FileUploadConfig tag in <PRODUCT-HOME>/repository/conf/carbon.xml.
- WSO2 API Manager 2.6.0, 2.5.0, 2.2.0, and older versions
- WSO2 Identity Server 5.8.0, 5.7.0, 5.6.0, 5.5.0, 5.4.1, 5.4.0, 5.3.0, 5.2.0, and older versions
- WSO2 Identity Server as Key Manager 5.7.0, 5.6.0, 5.5.0, 5.3.0, and older versions
- WSO2 IS Analytics 5.6.0, 5.5.0, 5.4.1, 5.4.0, and older versions
- WSO2 OBAM 1.5.0 and older versions
- WSO2 OBKM 1.5.0 and older versions
Note
The temporary mitigation steps will remove unnecessary endpoints. Further, we have tested the general product use cases after incorporating these fixes. However, make sure to test your business use cases in development/test environments before proceeding to update the production environment.
CREDITS¶
WSO2 thanks, Orange Tsai from DEVCORE for responsibly reporting the identified issue and working with us as we addressed it.