SECURITY ADVISORY WSO2-2023-2864¶
Published: June 25, 2024
Version: 1.0.0
Severity: N/A
AFFECTED PRODUCTS¶
- WSO2 API Manager 4.2.0, 4.1.0, 4.0.0, 3.2.0, 3.1.0, 3.0.0, 2.6.0
- WSO2 Identity Server 6.1.0, 6.0.0, 5.11.0, 5.10.0, 5.9.0, 5.8.0, 5.7.0
- WSO2 Identity Server as Key Manager 5.10.0, 5.9.0, 5.7.0
OVERVIEW¶
Potential insecure authorization configuration in the OAuth2 flow.
DESCRIPTION¶
When the OAuth2 Public Client feature with Client Credentials grant type has been used in a deployment, a malicious actor may obtain the access token without the proper authorization, when the following preconditions are met:
- A service provider must be configured with the Client Credentials grant type enabled.
- The Allow authentication without the client secret option must be enabled for the above configured service provider.
IMPACT¶
If the preconditions mentioned in the description are met, a malicious actor may obtain an access token for the service provider application without providing client secret. There is no impact to your deployment if all the above mentioned preconditions are not met in your configuration.
SOLUTION¶
WSO2 Subscription holders may refer to the below table. You should update your product to the specified update level or a higher update level to apply the fix.
Product Name | Product Version | Update Level |
---|---|---|
WSO2 API Manager | 4.2.0 | 63 |
WSO2 API Manager | 4.1.0 | 132 |
WSO2 API Manager | 4.0.0 | 264 |
WSO2 API Manager | 3.2.0 | 339 |
WSO2 API Manager | 3.1.0 | 259 |
WSO2 API Manager | 3.0.0 | 152 |
WSO2 Identity Server | 6.1.0 | 119 |
WSO2 Identity Server | 6.0.0 | 163 |
WSO2 Identity Server | 5.11.0 | 315 |
WSO2 Identity Server | 5.10.0 | 273 |
WSO2 Identity Server | 5.9.0 | 137 |
WSO2 Identity Server | 5.8.0 | 100 |
WSO2 Identity Server | 5.7.0 | 115 |
WSO2 Identity Server as Key Manager | 5.10.0 | 270 |
WSO2 Identity Server as Key Manager | 5.9.0 | 147 |
WSO2 Identity Server as Key Manager | 5.7.0 | 116 |
WSO2 Open Banking AM Accelerator | 3.0.0 | Refer to WSO2AM-4.0.0 update level 1 |
WSO2 Open Banking AM | 2.0.0 | 305 |
WSO2 Open Banking AM | 1.5.0 | 131 |
WSO2 Open Banking AM | 1.4.0 | 129 |
WSO2 Open Banking AM | 1.3.0 | 126 |
WSO2 Open Banking IAM Accelerator | 3.0.0 | Refer to WSO2IAM-5.11.0 update level 1 |
WSO2 Open Banking IAM | 2.0.0 | 323 |
WSO2 Open Banking KM | 1.5.0 | 115 |
WSO2 Open Banking KM | 1.4.0 | 123 |
WSO2 Open Banking KM | 1.3.0 | 126 |
If you are an open-source user or using a product version that is EOL (End of License); You may migrate to the latest version of the product if the latest version is not listed under the affected products list. Otherwise, you may apply the relevant fixes to the product based on the public fixes as given below:
Along with above code level fix/update, we have introduced a property named PublicClientAllowed
under SupportedGrantType
configuration which defines the grant types that should be supported for OAuth2 Public Client feature.
Please note that, along with this fix, due to security concerns, public client support configuration is disabled by default for Custom and Client Credentials grant types. If you have an application configured as a public client, the allowed grant types should be configured in the deployment.toml as follows to avoid any negative impacts to your use cases.
For below listed WSO2 products.
- WSO2 API Manager 4.2.0, 4.1.0, 4.0.0, 3.2.0, 3.1.0, 3.0.0
- WSO2 Identity Server 6.1.0, 6.0.0, 5.11.0, 5.10.0
Refer to,
- Custom grant types
[[oauth.custom_grant_type]] name="customGrant1" grant_handler="org.wso2.carbon.identity.oauth2.customGrantHandler" grant_validator="org.wso2.carbon.identity.oauth2.customGrantValidator" [oauth.custom_grant_type.properties] PublicClientAllowed=true
- For client credential grant type
[oauth.grant_type.client_credentials] allow_public_client="true"
Additionally, OAuth2 custom grant types can also be configured by adding below configuration in deployment.toml
. If you have already used the below given configuration in your deployment, there are no further actions required. However, WSO2 strongly recommends using the above mentioned configurations as a best practice.
[oauth.public_client_support]
grant_type_names = ["customGrant1"]
For below listed WSO2 products.
- WSO2 API Manager 2.6.0
- WSO2 Identity Server 5.9.0, 5.8.0, 5.7.0
- WSO2 Identity Server as Key Manager 5.9.0, 5.7.0
The PublicClientAllowed
property has to be added to the supported grant types defined in the identity.xml
file. Except client credentials, All other supported grant types should be configured with PublicClientProvided
as true and client credentials should be configured as false to mitigate the security vulnerability.
<SupportedGrantType>
<GrantTypeName>customGrant1</GrantTypeName>
<GrantTypeHandlerImplClass>{path}</GrantTypeHandlerImplClass>
<PublicClientAllowed>true</PublicClientAllowed>
</SupportedGrantType>
A configuration to disable client credentials grant type for public clients is mentioned below.
<SupportedGrantType>
<GrantTypeName>client_credentials</GrantTypeName>
<GrantTypeHandlerImplClass>[path]</GrantTypeHandlerImplClass>
<IsRefreshTokenAllowed>false</IsRefreshTokenAllowed>
<IdTokenAllowed>false</IdTokenAllowed>
<PublicClientAllowed>true</PublicClientAllowed>
</SupportedGrantType>