SECURITY ADVISORY WSO2-2024-3561/CVE-2024-6914

Published: November 10, 2024

Version: 1.0.0


AFFECTED PRODUCTS

  • WSO2 API Manager 4.3.0, 4.2.0, 4.1.0, 4.0.0, 3.2.1, 3.2.0, 3.1.0, 3.0.0, 2.6.0, 2.5.0, 2.2.0, 2.1.0, 2.0.0
  • WSO2 Identity Server 7.0.0, 6.1.0, 6.0.0, 5.11.0, 5.10.0, 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, 5.4.1, 5.4.0, 5.3.0, 5.2.0
  • WSO2 Identity Server as Key Manager 5.10.0, 5.9.0, 5.7.0, 5.6.0, 5.5.0, 5.3.0
  • WSO2 Open Banking AM 2.0.0, 1.5.0, 1.4.0
  • WSO2 Open Banking IAM 2.0.0
  • WSO2 Open banking KM 1.5.0, 1.4.0

DESCRIPTION

This vulnerability is exploitable only through SOAP Admin Services exposed via the "/services" context path of WSO2 product. If you have followed "Security Guidelines for Production Deployment" and have disabled access to these endpoints from untrusted networks the impact is reduced. Please check the severity information below for more details.

By exploiting this vulnerability, a malicious actor could reset the password of any user account. The successful exploitation of this flaw would enable the malicious actor to take control of targeted accounts, including those with elevated privileges such as the admin user, thereby posing a significant security risk.

When "Security Guidelines for Production Deployment" are not followed and "/services" context is public exposed (Worst Case) * Severity: Critical * CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) * https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

When "Security Guidelines for Production Deployment" are followed and "/services" context is only accessible by trusted networks * Severity: High * CVSS Score: 8.8 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) * https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SOLUTION

You may apply the relevant fixes to the product based on the public fix:

You can use the script provided below to apply a temporary fix for your deployment. However, please note that this temporary fix is fully effective in resolving the identified vulnerability. * WSO2-2024-3561_temporary_mitigation.zip

Once the temporary mitigation steps are applied, the deprecated self-user recovery "UserInformationRecoveryService" SOAP admin services will require an account with 'admin' permissions. If you are using these deprecated "UserInformationRecoveryService" SOAP services in any custom implementations or related product features, please ensure that all your business use cases continue to function without interruption.

Fix Verification

Please refer to the "Validating the fix" section in the README file of WSO2-2024-3561_temporary_mitigation.zip for the validation steps.

Info

If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix. You can refer to the update level information in the table below.

Product Name Product Version U2 Update Level
WSO2 API Manager 4.3.0 16
WSO2 API Manager 4.2.0 101
WSO2 API Manager 4.1.0 166
WSO2 API Manager 4.0.0 305
WSO2 API Manager 3.2.1 16
WSO2 API Manager 3.2.0 384
WSO2 API Manager 3.1.0 294
WSO2 API Manager 3.0.0 162
WSO2 API Manager 2.6.0 143
WSO2 API Manager 2.5.0 83
WSO2 API Manager 2.2.0 57
WSO2 API Manager 2.1.0 39
WSO2 API Manager 2.0.0 29
WSO2 Identity Server 7.0.0 60
WSO2 Identity Server 6.1.0 188
WSO2 Identity Server 6.0.0 209
WSO2 Identity Server 5.11.0 365
WSO2 Identity Server 5.10.0 318
WSO2 Identity Server 5.9.0 157
WSO2 Identity Server 5.8.0 106
WSO2 Identity Server 5.7.0 123
WSO2 Identity Server 5.6.0 58
WSO2 Identity Server 5.5.0 50
WSO2 Identity Server 5.4.1 36
WSO2 Identity Server 5.4.0 32
WSO2 Identity Server 5.3.0 33
WSO2 Identity Server 5.2.0 32
WSO2 Identity Server as Key Manager 5.10.0 312
WSO2 Identity Server as Key Manager 5.9.0 165
WSO2 Identity Server as Key Manager 5.7.0 122
WSO2 Identity Server as Key Manager 5.6.0 72
WSO2 Identity Server as Key Manager 5.5.0 51
WSO2 Identity Server as Key Manager 5.3.0 38
WSO2 Enterprise Integrator 6.6.0 198
WSO2 Enterprise Integrator 6.5.0 102
WSO2 Enterprise Integrator 6.4.0 96
WSO2 Enterprise Integrator 6.3.0 69
WSO2 Enterprise Integrator 6.2.0 61
WSO2 Enterprise Integrator 6.1.1 42
WSO2 Enterprise Integrator 6.1.0 38
WSO2 Enterprise Integrator 6.0.0 21
WSO2 Enterprise Service Bus 5.0.0 28
WSO2 Enterprise Service Bus 4.9.0 10
WSO2 Open Banking AM 2.0.0 343
WSO2 Open Banking AM 1.5.0 137
WSO2 Open Banking AM 1.4.0 135
WSO2 Open Banking IAM 2.0.0 364
WSO2 Open Banking KM 1.5.0 120
WSO2 Open Banking KM 1.4.0 130
WSO2 Micro Integrator 1.0.0 49

CREDITS

WSO2 thanks, Anonymous working with Trend Micro Zero Day Initiative for responsibly reporting the identified issue and working with us as we addressed it.