Security Advisory WSO2-2022-2177¶
Published: June 15, 2022
Version: 1.0.0
Severity: Critical
CVSS Score: 9.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L)
AFFECTED PRODUCTS - REFER TO PATCH LIST BELOW¶
- API Manager 3.0.0
- Default profile (all-in-one)
- API Manager 3.1.0, 3.2.0 limited to the following profiles:
- Default profile (all-in-one)
- Api-devportal profile
- Api-key-manager profile
- API Manager 4.0.0, 4.1.0 limited to the following profiles:
- Default profile (all-in-one)
- Control-plane profile
- WSO2 Identity Server 5.3.0, 5.4.0, 5.4.1, 5.5.0, 5.6.0, 5.7.0, 5.8.0, 5.9.0, 5.10.0, 5.11.0, 6.0.0
- WSO2 Identity Server as Key Manager 5.3.0, 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0
- WSO2 Open Banking AM 1.3.0, 1.4.0, 1.5.0, 2.0.0, 3.0.0
- WSO2 Open Banking IS-KM 1.3.0, 1.4.0, 1.5.0
- WSO2 Open Banking IAM 2.0.0, 3.0.0
Warning
WSO2 proactively issues security patches for all the supported product versions listed under WSO2 Support Matrix (available and deprecated status). The vulnerability may affect older product versions that are in extended and discontinued statuses as well.
OVERVIEW¶
Broken access control vulnerability has been identified on some API endpoints.
DESCRIPTION¶
When the notification based password recovery is enabled 12, A malicious actor could manipulate the REST API path and bypass authentication checks relevant to some Rest APIs.
IMPACT¶
Considering that some critical API endpoints are affected by this vulnerability, the successful exploitation could allow a malicious authenticated actor to impersonate and authenticate as a different targeted user (including an administrator, given the username of the administrator user is known to the malicious actor).
SOLUTION¶
The recommended solution is to apply the provided patch/update to the affected versions of the products. If there are any instructions given with the patch/update, please make sure those are followed properly.
Info
If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.
The update levels are available in the below table. You should update your product to the specified update level or a higher update level to apply the fix
Product Name | Product Version | Update Level | WUM Timestamp |
---|---|---|---|
WSO2 API Manager | 3.0.0 | 101 | 1666954717958 |
WSO2 API Manager | 3.1.0 | 165 | 1666621544419 |
WSO2 API Manager | 3.2.0 | 209 | 1666621544419 |
WSO2 API Manager | 4.0.0 | 151 | N/A |
WSO2 API Manager | 4.1.0 | 36 | N/A |
WSO2 Identity Server | 5.3.0 | 27 | 1666967705000 |
WSO2 Identity Server | 5.4.0 | 25 | 1666104509182 |
WSO2 Identity Server | 5.4.1 | 30 | 1666104509182 |
WSO2 Identity Server | 5.5.0 | 43 | 1666104489687 |
WSO2 Identity Server | 5.6.0 | 44 | 1666104530676 |
WSO2 Identity Server | 5.7.0 | 77 | 1666104448971 |
WSO2 Identity Server | 5.8.0 | 63 | 1665667200443 |
WSO2 Identity Server | 5.9.0 | 86 | 1666954717958 |
WSO2 Identity Server | 5.10.0 | 179 | 1666621544419 |
WSO2 Identity Server | 5.11.0 | 194 | N/A |
WSO2 Identity Server | 6.0.0 | 13 | N/A |
WSO2 Identity Server as Key Manager | 5.3.0 | 31 | 1666967705000 |
WSO2 Identity Server as Key Manager | 5.5.0 | 43 | 1666104489687 |
WSO2 Identity Server as Key Manager | 5.6.0 | 47 | 1666104530676 |
WSO2 Identity Server as Key Manager | 5.7.0 | 86 | 1666104448971 |
WSO2 Identity Server as Key Manager | 5.9.0 | 86 | 1666954717958 |
WSO2 Identity Server as Key Manager | 5.10.0 | 180 | 1666621544419 |
WSO2 Open Banking AM | 1.3.0 | 16 | 1666409836919 |
WSO2 Open Banking AM | 1.4.0 | 25 | 1666409836919 |
WSO2 Open Banking AM | 1.5.0 | 23 | 1666409836919 |
WSO2 Open Banking AM | 2.0.0 | 202 | 1666621544419 |
WSO2 Open Banking AM Accelerator | 3.0.0 | Refer to WSO2 AM-4.0.0 update level since this vulnerability is originating from the base product3. | N/A |
WSO2 Open Banking IS-KM | 1.3.0 | 88 | 1666409836919 |
WSO2 Open Banking IS-KM | 1.4.0 | 92 | 1666409836919 |
WSO2 Open Banking IS-KM | 1.5.0 | 91 | 1666409836919 |
WSO2 Open Banking IAM | 2.0.0 | 208 | 1666621544419 |
WSO2 Open Banking IAM Accelerator | 3.0.0 | Refer to WSO2 IAM-5.11.0 update level since this vulnerability is originating from the base product 3. | N/A |
If you are an open-source user or using a product version that is EOL (End of License) :
You may migrate to the latest version of the product if the latest version is not listed under the list of the affected products. Otherwise, you may apply the relevant fixes to the product based on the public fixes as given below:
Or else you may follow the mitigation steps given below.
GROUP 1¶
For below listed products, it is recommend to append the following configuration lines to the <PRODUCT-HOME>/repository/conf/deployment.toml
file and restart the server.
- WSO2 Identity Server 5.9.0, 5.10.0, 5.11.0, 6.0.0
- WSO2 Identity Server as Key Manager 5.9.0, 5.10.0
- WSO2 API Manager 3.0.0, 3.1.0, 3.2.0, 4.0.0, 4.1.0
- WSO2 Open Banking AM 2.0.0, 3.0.0
- WSO2 Open Banking IAM 2.0.0, 3.0.0
[[resource.access_control]]
context="(.*)/((\\.+)|(.*;+.*)|%2e)/(.*)"
permissions = ["/"]
secure=true
http_method="all"
deployment.toml
, you can add the above given configuration as a new config & restart the server.
GROUP 2¶
For group 2 products, please Add the below given config as the first entry of the <ResourceAccessControl>
tag of <PRODUCT-HOME>/repository/conf/identity/identity.xml
file and restart the server.
- WSO2 Identity Server 5.3.0, 5.4.0, 5.4.1, 5.5.0, 5.6.0, 5.7.0, 5.8.0
- WSO2 Identity Server as Key Manager 5.3.0, 5.5.0, 5.6.0, 5.7.0
- WSO2 Open Banking AM 1.3.0, 1.4.0, 1.5.0
- WSO2 Open Banking IAM 1.3.0, 1.4.0, 1.5.0
<Resource context="(.*)/((\.+)|(.*;+.*)|%2e)/(.*)" secured="true" http-method="all">
<Permissions>/</Permissions>
</Resource>
!!! example:
<ResourceAccessControl>
<Resource context="(.*)/((\.+)|(.*;+.*)|%2e)/(.*)" secured="true" http-method="all">
<Permissions>/</Permissions>
</Resource>
<Resource context="(.*)" secured="false" http-method="OPTIONS"/>
<Resource context="/" secured="false" http-method="GET"/>
......
</ResourceAccessControl>
If you have already applied the above given configuration in your identity.xml, please add the additional <Permissions>/</Permissions>
line as mentioned above & restart the server.
CREDITS¶
WSO2 thanks, Rick Roane for responsibly reporting the identified issue and working with us as we addressed it.