SECURITY ADVISORY WSO2-2023-2864

Published: June 25, 2024

Version: 1.0.0

Severity: N/A


AFFECTED PRODUCTS

  • WSO2 API Manager 4.2.0, 4.1.0, 4.0.0, 3.2.0, 3.1.0, 3.0.0, 2.6.0
  • WSO2 Identity Server 6.1.0, 6.0.0, 5.11.0, 5.10.0, 5.9.0, 5.8.0, 5.7.0
  • WSO2 Identity Server as Key Manager 5.10.0, 5.9.0, 5.7.0

OVERVIEW

Potential insecure authorization configuration in the OAuth2 flow.

DESCRIPTION

When the OAuth2 Public Client feature with Client Credentials grant type has been used in a deployment, a malicious actor may obtain the access token without the proper authorization, when the following preconditions are met:

  • A service provider must be configured with the Client Credentials grant type enabled.
  • The Allow authentication without the client secret option must be enabled for the above configured service provider.

IMPACT

If the preconditions mentioned in the description are met, a malicious actor may obtain an access token for the service provider application without providing client secret. There is no impact to your deployment if all the above mentioned preconditions are not met in your configuration.

SOLUTION

WSO2 Subscription holders may refer to the below table. You should update your product to the specified update level or a higher update level to apply the fix.

Product Name Product Version Update Level
WSO2 API Manager 4.2.0 63
WSO2 API Manager 4.1.0 132
WSO2 API Manager 4.0.0 264
WSO2 API Manager 3.2.0 339
WSO2 API Manager 3.1.0 259
WSO2 API Manager 3.0.0 152
WSO2 Identity Server 6.1.0 119
WSO2 Identity Server 6.0.0 163
WSO2 Identity Server 5.11.0 315
WSO2 Identity Server 5.10.0 273
WSO2 Identity Server 5.9.0 137
WSO2 Identity Server 5.8.0 100
WSO2 Identity Server 5.7.0 115
WSO2 Identity Server as Key Manager 5.10.0 270
WSO2 Identity Server as Key Manager 5.9.0 147
WSO2 Identity Server as Key Manager 5.7.0 116
WSO2 Open Banking AM Accelerator 3.0.0 Refer to WSO2AM-4.0.0 update level 1
WSO2 Open Banking AM 2.0.0 305
WSO2 Open Banking AM 1.5.0 131
WSO2 Open Banking AM 1.4.0 129
WSO2 Open Banking AM 1.3.0 126
WSO2 Open Banking IAM Accelerator 3.0.0 Refer to WSO2IAM-5.11.0 update level 1
WSO2 Open Banking IAM 2.0.0 323
WSO2 Open Banking KM 1.5.0 115
WSO2 Open Banking KM 1.4.0 123
WSO2 Open Banking KM 1.3.0 126

If you are an open-source user or using a product version that is EOL (End of License); You may migrate to the latest version of the product if the latest version is not listed under the affected products list. Otherwise, you may apply the relevant fixes to the product based on the public fixes as given below:

Along with above code level fix/update, we have introduced a property named PublicClientAllowed under SupportedGrantType configuration which defines the grant types that should be supported for OAuth2 Public Client feature.

Please note that, along with this fix, due to security concerns, public client support configuration is disabled by default for Custom and Client Credentials grant types. If you have an application configured as a public client, the allowed grant types should be configured in the deployment.toml as follows to avoid any negative impacts to your use cases.

For below listed WSO2 products.

  • WSO2 API Manager 4.2.0, 4.1.0, 4.0.0, 3.2.0, 3.1.0, 3.0.0
  • WSO2 Identity Server 6.1.0, 6.0.0, 5.11.0, 5.10.0

Refer to,

  1. Custom grant types
    [[oauth.custom_grant_type]]
    name="customGrant1"
    grant_handler="org.wso2.carbon.identity.oauth2.customGrantHandler"
    grant_validator="org.wso2.carbon.identity.oauth2.customGrantValidator"
    [oauth.custom_grant_type.properties]
    PublicClientAllowed=true
    
  2. For client credential grant type
    [oauth.grant_type.client_credentials]
    allow_public_client="true" 
    

Additionally, OAuth2 custom grant types can also be configured by adding below configuration in deployment.toml. If you have already used the below given configuration in your deployment, there are no further actions required. However, WSO2 strongly recommends using the above mentioned configurations as a best practice.

[oauth.public_client_support]
grant_type_names = ["customGrant1"] 

For below listed WSO2 products.

  • WSO2 API Manager 2.6.0
  • WSO2 Identity Server 5.9.0, 5.8.0, 5.7.0
  • WSO2 Identity Server as Key Manager 5.9.0, 5.7.0

The PublicClientAllowed property has to be added to the supported grant types defined in the identity.xml file. Except client credentials, All other supported grant types should be configured with PublicClientProvided as true and client credentials should be configured as false to mitigate the security vulnerability.

<SupportedGrantType>
    <GrantTypeName>customGrant1</GrantTypeName>
    <GrantTypeHandlerImplClass>{path}</GrantTypeHandlerImplClass>
    <PublicClientAllowed>true</PublicClientAllowed>
</SupportedGrantType> 

A configuration to disable client credentials grant type for public clients is mentioned below.

<SupportedGrantType>
    <GrantTypeName>client_credentials</GrantTypeName>
    <GrantTypeHandlerImplClass>[path]</GrantTypeHandlerImplClass>
    <IsRefreshTokenAllowed>false</IsRefreshTokenAllowed>
    <IdTokenAllowed>false</IdTokenAllowed>
    <PublicClientAllowed>true</PublicClientAllowed>
</SupportedGrantType> 

REFERENCES