Security Advisory WSO2-2022-1849¶
Published: April 19, 2022
Version: 1.0.0
Severity: N/A
CVSS Score: N/A
AFFECTED PRODUCTS¶
- WSO2 Identity Server - 5.9.0, 5.10.0, 5.11.0
- WSO2 Identity Server as Key Manager - 5.9.0, 5.10.0
- WSO2 API Manager - 3.0.0, 3.1.0, 3.2.0, 4.0.0
- WSO2 Enterprise Integrator - 6.6.0
OVERVIEW¶
Spring4Shell remote code execution zero-day vulnerability (CVE-2022-22965).
DESCRIPTION¶
According to the CVE-2022-229651, the following Spring Framework versions are vulnerable to Remote Code Execution when it is used with JDK9 and above.
- Spring Framework 5.3.0 to 5.3.17
- Spring Framework 5.2.0 to 5.2.19
- Older versions of Spring Framework
IMPACT¶
By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by providing a crafted payload.
Note
WSO2 teams have performed relevant testing and as per them, this issue is not exploitable in WSO2 Products.
SOLUTION¶
If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes.
Otherwise, you may apply the relevant fixes to the product based on the public fix(s):
- https://github.com/wso2/wso2-ode/pull/43
- https://github.com/wso2/carbon-business-process/pull/662
- https://github.com/wso2/product-is/pull/13617
- https://github.com/wso2/carbon-deployment/pull/371
Or else as an immediate measure to prevent any security impact, it is recommended to apply the below-mentioned temporary mitigation in the WAF or reverse proxy level at earliest possible. Note that temporary mitigations are based on2, which is also based on Spring announcement1.
- Deny requests containing query-strings or request payloads containing the following matches of the regular expression (These should be tested prior to production deployment but are effective mitigation techniques.):2,
- class\..*
- Class\..*
- .*\.class\..*
- .*\.Class\..*
Info
If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.