SECURITY ADVISORY WSO2-2023-2938

Published: May 31, 2024

Version: 1.0.0

Severity: High

CVSS Score: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)


AFFECTED PRODUCTS

  • WSO2 API Manager : 4.2.0, 4.1.0, 4.0.0, 3.2.0, 3.1.0
  • WSO2 Enterprise Integrator : 6.6.0
  • WSO2 Micro Integrator : 4.2.0, 4.1.0, 4.0.0

OVERVIEW

Authenticated remote code execution vulnerability.

DESCRIPTION

API publishers or admin/system users with privileges to change mediation sequences could use Mock API Endpoints in WSO2 API Manager, and Script Mediators in WSO2 API Manager and Micro Integrator to execute arbitrary code on the deployment.

IMPACT

By leveraging the vulnerability, a malicious actor with access to a publisher may perform an arbitrary remote code execution attack. However, to perform such an attack the malicious actor should have publisher access in WSO2 API Manager, or admin/system user access in WSO2 Micro Integrator.

SOLUTION

If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes. Otherwise you may apply the relevant fixes to the product based on the public fix:

Further, it is required to make the following additional Synapse configuration changes to control access to Java classes/methods. However, The configuration depends on the use case of the mediation sequence.

We have provided a sample configuration based on the use case where the mediation sequence requires usage of java.util.ArrayList class.

Sample squence code: java var s = new java.util.ArrayList();

Configuration: In WSO2 API Manager and WSO2 Open Banking AM, the above mentioned policycan be configured in the deployment.toml as follows:

'limit_java_class_access_in_scripts.enable'=true
'limit_java_class_access_in_scripts.list_type' = "ALLOW_LIST"
'limit_java_class_access_in_scripts.class_prefixes' =
"java.util.ArrayList" # Prefixes of class names, to be allowed or blocked (based on `limit_java_class_access_in_scripts.list_type`)

In WSO2 Micro Integrator and WSO2 Enterprise Integrator, the above mentioned policy can be configured via the following synapse.properties:

'limit_java_class_access_in_scripts.enable'=true
'limit_java_class_access_in_scripts.list_type' = "ALLOW_LIST"
'limit_java_class_access_in_scripts.class_prefixes' =
"java.util.ArrayList" # Prefixes of class names, to be allowed or blocked (based on `limit_java_class_access_in_scripts.list_type`)

However, if you require block-listing methods instead of maintaining an allow-list, you may deny "getClassLoader" and "loadClass" native objects to reduce potential security implications. This approach is not recommended, since block lists may not cover all potential threats. Following is a sample where usage of "getClassLoader" and "loadClass" native objects are block-listed.

Sample sequence code: var s = new java.util.ArrayList(); var c = this.context.getClass(); var hashmapConstructors = c.getClassLoader().loadClass("java.util.HashMap").getDeclaredConstructors()

Configuration: In WSO2 API Manager and WSO2 Open Banking AM, the above mentioned policy can be configured in the deployment.toml as follows:

[synapse_properties]
'limit_java_native_object_access_in_scripts.enable' = true
'limit_java_native_object_access_in_scripts.list_type' ="BLOCK_LIST"
'limit_java_native_object_access_in_scripts.object_names' ="getClassLoader,loadClass" #Native object names, to be allowed or blocked (based on `limit_java_native_object_access_in_scripts.list_type`)

In WSO2 Micro Integrator and WSO2 Enterprise Integrator, the above mentioned policy can be configured via the following synapse.properties:

'limit_java_native_object_access_in_scripts.enable' = true 'limit_java_native_object_access_in_scripts.list_type' = "BLOCK_LIST" 'limit_java_native_object_access_in_scripts.object_names' = "getClassLoader,loadClass" #Native object names, to be allowed or blocked (based on `limit_java_native_object_access_in_scripts.list_type`)

Info

If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.

CREDITS

WSO2 thanks, Pavel Richtarik for responsibly reporting the identified issue and working with us as we addressed it.