Security Advisory WSO2-2022-2357¶
Published: February 27, 2023
Version: 1.0.0
Severity: Informative
AFFECTED PRODUCTS¶
- WSO2 Identity Server : 6.0.0
OVERVIEW¶
External IDP's Client Secrets are being logged in the carbon audit logs.
DESCRIPTION¶
The Client ID and Client Secret values of the connection configuration that is used to represent external identity providers, were being logged in the carbon audit logs when a new connection is added or an existing connection is updated.
IMPACT¶
There is no security impact for your environment even though the client secret was logged into the carbon audit logs. However, as an additional precaution, we highly recommend rotating IDP client secrets that are being used in your environment after applying the given patch. The following two approaches can be recommended for IDP secret rotation.
- If the application supports the maintenance of multiple secrets, then update the client secret of the IDP in your environment Then delete the old secret from the application.
- If the application does not support the maintenance of multiple secrets, then create a new application. Once the new application is created, then update the client id and client secret of the configured IDP in the environment. Then delete the old application.
SOLUTION¶
If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes.
Otherwise, you may apply the relevant fixes to the product based on the public fix(s):
- https://github.com/wso2/carbon-identity-framework/pull/4358
- https://github.com/wso2/carbon-identity-framework/pull/4363
Info
If you are a WSO2 customer with a support subscription, use WSO2 Updates in order to apply the fix.