Security Advisory WSO2-2021-1318¶
Published: June 27, 2023
Version: 1.0.0
Severity: Medium
CVSS Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
AFFECTED PRODUCTS¶
- WSO2 API Manager Analytics : 3.2.0 , 3.1.0 , 3.0.0
- WSO2 Enterprise Integrator : 6.6.0 , 6.5.0
- WSO2 Enterprise Integrator Analytics : 7.1.0
- WSO2 Identity Server Analytics : 5.8.0
- WSO2 Micro Integrator Monitoring Dashboard : 1.2.0 , 1.1.0
- WSO2 Stream Processor : 4.4.0
- WSO2 Streaming Integrator Tooling : 1.1.0 , 1.0.0
OVERVIEW¶
A WebSocket authentication bypass vulnerability in Analytics.
DESCRIPTION¶
Due to the improper session management, malicious actors can establish WebSocket connections without any authentication or authorization.
IMPACT¶
Using the said vulnerability a malicious unauthenticated actor may access analytics data.
SOLUTION¶
If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes.
Otherwise, you may apply the relevant fixes to the product based on the public fix(s):
- https://github.com/wso2/msf4j/pull/581
- https://github.com/wso2/carbon-analytics/pull/1921
- https://github.com/wso2/carbon-analytics/pull/1951
- https://github.com/wso2/carbon-dashboards/pull/1254
- https://github.com/wso2/analytics-apim/pull/1497
Info
If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.