Security Advisory WSO2-2021-1738

Published: April 01, 2022

Updated: April 29, 2022

Version: 1.3.0

Severity: Critical

CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


AFFECTED PRODUCTS

  • WSO2 API Manager 2.2.0, up to 4.0.0
  • WSO2 Identity Server 5.2.0, up to 5.11.0
  • WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0
  • WSO2 Identity Server as Key Manager 5.3.0, up to 5.11.0
  • WSO2 Enterprise Integrator 6.2.0, up to 6.6.0
  • WSO2 Open Banking AM 1.4.0, up to 2.0.0
  • WSO2 Open Banking KM 1.4.0, up to 2.0.0

Warning

WSO2 proactively issues security patches for all the supported product versions listed under WSO2 Support Matrix ("available" and "deprecated" status). The vulnerability may affect older product versions that are in extended and discontinued statuses as well.

OVERVIEW

Unrestricted arbitrary file upload, and remote code to execution vulnerability.

DESCRIPTION

Due to improper validation of user input, a malicious actor could upload an arbitrary file to a user controlled location of the server. By leveraging the arbitrary file upload vulnerability, it is further possible to gain remote code execution on the server.

IMPACT

By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.

SOLUTION

WSO2 has provided temporary mitigations to the customers in January 2022 and delivered the fixes for all the supported product versions listed under the WSO2 Support Matrix ("available" and "deprecated" status) in February.

Info

If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.

The update levels are available in the below table. You should update your product to the specified update level or a higher update level to apply the fix

Product Name Product Version Update Level WUM Timestamp
WSO2 API Manager 2.2.0 43 1642181410159
WSO2 API Manager 2.5.0 44 1642690416146
WSO2 API Manager 2.6.0 72 1642690636270
WSO2 API Manager 3.0.0 70 1642180160123
WSO2 API Manager 3.1.0 107 1643038989258
WSO2 API Manager 3.2.0 122 1643038989258
WSO2 API Manager 4.0.0 64 N/A
WSO2 API Manager Analytics 2.2.0 25 1642181410159
WSO2 API Manager Analytics 2.5.0 23 1642690416146
WSO2 Identity Server 5.2.0 22 1642180025435
WSO2 Identity Server 5.4.1 22 1642180082946
WSO2 Identity Server 5.5.0 34 1642181410159
WSO2 Identity Server 5.6.0 27 1642690416146
WSO2 Identity Server 5.7.0 48 1642690636270
WSO2 Identity Server 5.10.0 112 1643038989258
WSO2 Identity Server 5.8.0 39 1642181241778
WSO2 Identity Server 5.9.0 55 1642601723766
WSO2 Identity Server 5.11.0 106 N/A
WSO2 Identity Server as Key Manager 5.5.0 34 1642181410159
WSO2 Identity Server as Key Manager 5.6.0 29 1642690416146
WSO2 Identity Server as Key Manager 5.7.0 55 1642690636270
WSO2 Identity Server as Key Manager 5.9.0 64 1642601723766
WSO2 Identity Server as Key Manager 5.10.0 115 1643038989258
WSO2 Identity Server Analytics 5.4.1 16 1642180082946
WSO2 Identity Server Analytics 5.5.0 25 1642181410159
WSO2 Identity Server Analytics 5.6.0 23 1642690416146
WSO2 Enterprise Integrator 6.2.0 42 1642179902897
WSO2 Enterprise Integrator 6.3.0 37 1642599930405
WSO2 Enterprise Integrator 6.4.0 58 1642601723766
WSO2 Enterprise Integrator 6.5.0 55 1642599975104
WSO2 Enterprise Integrator 6.6.0 79 1642599885111
WSO2 Open Banking AM 1.3.0 76 1643038989258
WSO2 Open Banking AM 1.4.0 75 1643038989258
WSO2 Open Banking AM 1.5.0 75 1643038989258
WSO2 Open Banking AM 2.0.0 119 1643038989258
WSO2 Open Banking KM 1.3.0 60 1643038989258
WSO2 Open Banking KM 1.4.0 61 1643038989258
WSO2 Open Banking KM 1.5.0 58 1643038989258
WSO2 Open Banking IAM 2.0.0 127 1643038989258

If you are an open-source user or using a product version that is EOL (End of License) :

You may migrate to the latest version of the product if the latest version is not listed under the list of the affected products. Otherwise, you may apply the relevant fixes to the product based on the public fixes as given below:

If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes.

Otherwise, you may apply the relevant fixes to the product based on the public fix(s):

Or else you may follow the mitigation steps given below.

Note

The temporary mitigation steps will remove unnecessary endpoints. Further, we have tested the general product use cases after incorporating these fixes. However, make sure to test your business use cases in development/test environments before proceeding to update the production environment.

CREDITS

WSO2 thanks, Orange Tsai from DEVCORE for responsibly reporting the identified issue and working with us as we addressed it.