SECURITY ADVISORY WSO2-2024-3574/CVE-2024-7097

Published: November 10, 2024

Version: 1.0.0

Severity: Medium

CVSS Score: 4.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)


AFFECTED PRODUCTS

  • WSO2 API Manager 4.3.0, 4.2.0, 4.1.0, 4.0.0, 3.2.1, 3.2.0, 3.1.0, 3.0.0, 2.6.0, 2.5.0, 2.2.0, 2.1.0, 2.0.0
  • WSO2 Identity Server 7.0.0, 6.1.0, 6.0.0, 5.11.0, 5.10.0, 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, 5.4.1, 5.4.0, 5.3.0, 5.2.0
  • WSO2 Identity Server as Key Manager 5.10.0, 5.9.0, 5.7.0, 5.6.0, 5.5.0, 5.3.0

OVERVIEW

SOAP admin service allows user signup regardless of self-registration configuration.

DESCRIPTION

The SOAP admin service in WSO2 products has a security vulnerability that allows the creation of new user accounts regardless of the self-registration configuration settings.

IMPACT

Malicious actors could exploit this vulnerability to create multiple other users with low privileges and gain unauthorized access to the system. This may also be used to exhaust the system by continuously creating such users.

SOLUTION

The recommended solution is to apply the below provided public PR. This update disables the user self-signup via SOAP admin services. * https://github.com/wso2/carbon-identity-framework/pull/5811

However, when required the following configuration could be added to the deployment.toml file to allow user self-signup. The allowed usernames list should contain the list of system user accounts which are allowed to invoke the UserInformationRecoveryService to initiate relevant API invocations.

[user_info_recovery_admin_service]
allowed_usernames = [
    "user1",
    "user2"
]
If you are using the XML based configuration model, please add the following configuration to the identity.xml file located in <IS_HOME>/repository/conf/identity/.

<AdminServices>
        <UserInformationRecoveryService>
            <AllowedUsers>
                <Usernames>user1,user2</Usernames>
            </AllowedUsers>
        </UserInformationRecoveryService>
    </AdminServices>

Important

The following section is regarding APIM 2.x versions. If user self-registration is a requirement based on your business use case, you do not need to make any additional changes.

However, if user self-registration is not a requirement, to mitigate this vulnerability in APIM 2.x versions, even after applying this update, following additional configuration must be applied. This is because APIM 2.x versions utilize relevant SOAP admin services for the user self-signup flow.

  1. Browse to /_system/governance/apimgt/applicationdata/sign-up-config.xml via Management Console, open it in edit mode and update below configuration to false to disable self signup in the store portal.
    <EnableSignup>false</EnableSignup>
    
  2. Restart the APIM server with the following system property set to "false".
  3. sh wso2server.sh -DenableUserRegistrationAdminService=false

It is also important to note that both above configuration options must be applied to completely disable self signup. Configuration change mentioned in item 1 only disables UI components, and item 2 only disables relevant SOAP admin service.

Info

If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.