SECURITY ADVISORY WSO2-2024-3574/CVE-2024-7097¶
Published: November 10, 2024
Version: 1.0.0
Severity: Medium
CVSS Score: 4.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
AFFECTED PRODUCTS¶
- WSO2 API Manager 4.3.0, 4.2.0, 4.1.0, 4.0.0, 3.2.1, 3.2.0, 3.1.0, 3.0.0, 2.6.0, 2.5.0, 2.2.0, 2.1.0, 2.0.0
- WSO2 Identity Server 7.0.0, 6.1.0, 6.0.0, 5.11.0, 5.10.0, 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, 5.4.1, 5.4.0, 5.3.0, 5.2.0
- WSO2 Identity Server as Key Manager 5.10.0, 5.9.0, 5.7.0, 5.6.0, 5.5.0, 5.3.0
OVERVIEW¶
SOAP admin service allows user signup regardless of self-registration configuration.
DESCRIPTION¶
The SOAP admin service in WSO2 products has a security vulnerability that allows the creation of new user accounts regardless of the self-registration configuration settings.
IMPACT¶
Malicious actors could exploit this vulnerability to create multiple other users with low privileges and gain unauthorized access to the system. This may also be used to exhaust the system by continuously creating such users.
SOLUTION¶
The recommended solution is to apply the below provided public PR. This update disables the user self-signup via SOAP admin services. * https://github.com/wso2/carbon-identity-framework/pull/5811
However, when required the following configuration could be added to the deployment.toml file to allow user self-signup. The allowed usernames list should contain the list of system user accounts which are allowed to invoke the UserInformationRecoveryService to initiate relevant API invocations.
[user_info_recovery_admin_service]
allowed_usernames = [
"user1",
"user2"
]
<IS_HOME>/repository/conf/identity/
.
<AdminServices>
<UserInformationRecoveryService>
<AllowedUsers>
<Usernames>user1,user2</Usernames>
</AllowedUsers>
</UserInformationRecoveryService>
</AdminServices>
Important
The following section is regarding APIM 2.x versions. If user self-registration is a requirement based on your business use case, you do not need to make any additional changes.
However, if user self-registration is not a requirement, to mitigate this vulnerability in APIM 2.x versions, even after applying this update, following additional configuration must be applied. This is because APIM 2.x versions utilize relevant SOAP admin services for the user self-signup flow.
- Browse to
/_system/governance/apimgt/applicationdata/sign-up-config.xml
via Management Console, open it in edit mode and update below configuration to false to disable self signup in the store portal.<EnableSignup>false</EnableSignup>
- Restart the APIM server with the following system property set to "false".
- sh wso2server.sh -DenableUserRegistrationAdminService=false
It is also important to note that both above configuration options must be applied to completely disable self signup. Configuration change mentioned in item 1 only disables UI components, and item 2 only disables relevant SOAP admin service.
Info
If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.