Security Advisory WSO2-2022-1821¶
Published: January 10, 2023
Version: 1.0.0
Severity: Medium
CVSS Score: 6.4 (CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H)
AFFECTED PRODUCTS¶
- WSO2 API Manager : 4.1.0 , 4.0.0 , 3.2.0 , 3.1.0 , 3.0.0 , 2.6.0 , 2.5.0 , 2.2.0
- WSO2 Enterprise Integrator : 6.6.0 , 6.5.0 , 6.4.0 , 6.3.0 , 6.2.0
- WSO2 IS as Key Manager : 5.10.0 , 5.9.0 , 5.7.0 , 5.6.0 , 5.5.0
- WSO2 Identity Server : 5.11.0 , 5.10.0 , 5.9.0 , 5.8.0 , 5.7.0 , 5.6.0 , 5.5.0
- WSO2 Micro Integrator : 4.0.0 , 1.2.0 , 1.0.0
- WSO2 Identity Server Analytics : 5.6.0 , 5.5.0
- WSO2 API Manager Analytics : 5.5.0 , 5.2.0
- WSO2 IoT Server : 3.3.1
- WSO2 Micro Gateway : 2.2.0
- WSO2 Data Analytics Server : 3.2.0
OVERVIEW¶
A Remote Code Execution vulnerability in the Management Console.
DESCRIPTION¶
Due to the improper input validation, a remote code execution attack could be carried out using certain admin operations which require an admin user to configure a "JDBC Connection String".
IMPACT¶
In order to exploit this vulnerability, the malicious actor should have a valid user account which has administrative access to the Management Console and should be able to reach it (WSO2 Security Guidelines for Production Deployment 1 recommends not to publicly expose the Management Console). If such access could be obtained, a malicious actor could execute arbitrary code on the server running the H2 database engine. Execution will occur with the permissions assigned to the user running the H2 database engine. In the case of the H2 database instance embedded in WSO2 products, this is the user running the WSO2 product.
SOLUTION¶
If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes. Otherwise you may apply the relevant fixes to the product based on the public fix:
Info
If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.