SECURITY ADVISORY WSO2-2024-3561/CVE-2024-6914¶
Published: November 10, 2024
Version: 1.0.0
AFFECTED PRODUCTS¶
- WSO2 API Manager 4.3.0, 4.2.0, 4.1.0, 4.0.0, 3.2.1, 3.2.0, 3.1.0, 3.0.0, 2.6.0, 2.5.0, 2.2.0, 2.1.0, 2.0.0
- WSO2 Identity Server 7.0.0, 6.1.0, 6.0.0, 5.11.0, 5.10.0, 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, 5.4.1, 5.4.0, 5.3.0, 5.2.0
- WSO2 Identity Server as Key Manager 5.10.0, 5.9.0, 5.7.0, 5.6.0, 5.5.0, 5.3.0
- WSO2 Open Banking AM 2.0.0, 1.5.0, 1.4.0
- WSO2 Open Banking IAM 2.0.0
- WSO2 Open banking KM 1.5.0, 1.4.0
DESCRIPTION¶
This vulnerability is exploitable only through SOAP Admin Services exposed via the "/services" context path of WSO2 product. If you have followed "Security Guidelines for Production Deployment" and have disabled access to these endpoints from untrusted networks the impact is reduced. Please check the severity information below for more details.
By exploiting this vulnerability, a malicious actor could reset the password of any user account. The successful exploitation of this flaw would enable the malicious actor to take control of targeted accounts, including those with elevated privileges such as the admin user, thereby posing a significant security risk.
When "Security Guidelines for Production Deployment" are not followed and "/services" context is public exposed (Worst Case) * Severity: Critical * CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) * https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
When "Security Guidelines for Production Deployment" are followed and "/services" context is only accessible by trusted networks * Severity: High * CVSS Score: 8.8 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) * https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SOLUTION¶
You may apply the relevant fixes to the product based on the public fix:
You can use the script provided below to apply a temporary fix for your deployment. However, please note that this temporary fix is fully effective in resolving the identified vulnerability. * WSO2-2024-3561_temporary_mitigation.zip
Once the temporary mitigation steps are applied, the deprecated self-user recovery "UserInformationRecoveryService" SOAP admin services will require an account with 'admin' permissions. If you are using these deprecated "UserInformationRecoveryService" SOAP services in any custom implementations or related product features, please ensure that all your business use cases continue to function without interruption.
Fix Verification¶
Please refer to the "Validating the fix" section in the README file of WSO2-2024-3561_temporary_mitigation.zip for the validation steps.
Info
If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix. You can refer to the update level information in the table below.
Product Name | Product Version | U2 Update Level |
---|---|---|
WSO2 API Manager | 4.3.0 | 16 |
WSO2 API Manager | 4.2.0 | 101 |
WSO2 API Manager | 4.1.0 | 166 |
WSO2 API Manager | 4.0.0 | 305 |
WSO2 API Manager | 3.2.1 | 16 |
WSO2 API Manager | 3.2.0 | 384 |
WSO2 API Manager | 3.1.0 | 294 |
WSO2 API Manager | 3.0.0 | 162 |
WSO2 API Manager | 2.6.0 | 143 |
WSO2 API Manager | 2.5.0 | 83 |
WSO2 API Manager | 2.2.0 | 57 |
WSO2 API Manager | 2.1.0 | 39 |
WSO2 API Manager | 2.0.0 | 29 |
WSO2 Identity Server | 7.0.0 | 60 |
WSO2 Identity Server | 6.1.0 | 188 |
WSO2 Identity Server | 6.0.0 | 209 |
WSO2 Identity Server | 5.11.0 | 365 |
WSO2 Identity Server | 5.10.0 | 318 |
WSO2 Identity Server | 5.9.0 | 157 |
WSO2 Identity Server | 5.8.0 | 106 |
WSO2 Identity Server | 5.7.0 | 123 |
WSO2 Identity Server | 5.6.0 | 58 |
WSO2 Identity Server | 5.5.0 | 50 |
WSO2 Identity Server | 5.4.1 | 36 |
WSO2 Identity Server | 5.4.0 | 32 |
WSO2 Identity Server | 5.3.0 | 33 |
WSO2 Identity Server | 5.2.0 | 32 |
WSO2 Identity Server as Key Manager | 5.10.0 | 312 |
WSO2 Identity Server as Key Manager | 5.9.0 | 165 |
WSO2 Identity Server as Key Manager | 5.7.0 | 122 |
WSO2 Identity Server as Key Manager | 5.6.0 | 72 |
WSO2 Identity Server as Key Manager | 5.5.0 | 51 |
WSO2 Identity Server as Key Manager | 5.3.0 | 38 |
WSO2 Enterprise Integrator | 6.6.0 | 198 |
WSO2 Enterprise Integrator | 6.5.0 | 102 |
WSO2 Enterprise Integrator | 6.4.0 | 96 |
WSO2 Enterprise Integrator | 6.3.0 | 69 |
WSO2 Enterprise Integrator | 6.2.0 | 61 |
WSO2 Enterprise Integrator | 6.1.1 | 42 |
WSO2 Enterprise Integrator | 6.1.0 | 38 |
WSO2 Enterprise Integrator | 6.0.0 | 21 |
WSO2 Enterprise Service Bus | 5.0.0 | 28 |
WSO2 Enterprise Service Bus | 4.9.0 | 10 |
WSO2 Open Banking AM | 2.0.0 | 343 |
WSO2 Open Banking AM | 1.5.0 | 137 |
WSO2 Open Banking AM | 1.4.0 | 135 |
WSO2 Open Banking IAM | 2.0.0 | 364 |
WSO2 Open Banking KM | 1.5.0 | 120 |
WSO2 Open Banking KM | 1.4.0 | 130 |
WSO2 Micro Integrator | 1.0.0 | 49 |
CREDITS¶
WSO2 thanks, Anonymous working with Trend Micro Zero Day Initiative for responsibly reporting the identified issue and working with us as we addressed it.