SECURITY ADVISORY WSO2-2024-3574/CVE-2024-7097¶
Published: November 10, 2024
Version: 1.0.0
Severity: Medium
CVSS Score: 4.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
AFFECTED PRODUCTS¶
- WSO2 API Manager 4.3.0, 4.2.0, 4.1.0, 4.0.0, 3.2.1, 3.2.0, 3.1.0, 3.0.0, 2.6.0, 2.5.0, 2.2.0, 2.1.0, 2.0.0
- WSO2 Identity Server 7.0.0, 6.1.0, 6.0.0, 5.11.0, 5.10.0, 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, 5.4.1, 5.4.0, 5.3.0, 5.2.0
- WSO2 Identity Server as Key Manager 5.10.0, 5.9.0, 5.7.0, 5.6.0, 5.5.0, 5.3.0
- WSO2 Open Banking AM 2.0.0, 1.5.0, 1.4.0, 1.3.0
- WSO2 Open Banking IAM 2.0.0
- WSO2 Open Banking KM 1.5.0, 1.4.0, 1.3.0
Info
Please note that this announcement includes only the product versions affected as per our backporting policy.
OVERVIEW¶
SOAP admin service allows user signup regardless of self-registration configuration.
DESCRIPTION¶
The SOAP admin service in WSO2 products has a security vulnerability that allows the creation of new user accounts regardless of the self-registration configuration settings.
IMPACT¶
Malicious actors could exploit this vulnerability to create multiple other users with low privileges and gain unauthorized access to the system. This may also be used to exhaust the system by continuously creating such users.
SOLUTION¶
Community Users (Open Source)¶
Apply the relevant fixes to your product using the public fix(es) provided below. This update disables the user self-signup via SOAP admin services.
Commercial Users¶
Update your product to the specified update level—or a higher update level—to apply the fix.
Info
If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.
| Product Name | Product Version | U2 Update Level |
|---|---|---|
| wso2-obam | 1.3.0 | 131 |
| wso2-obam | 1.4.0 | 134 |
| wso2-obam | 1.5.0 | 136 |
| wso2-obam | 2.0.0 | 343 |
| wso2-obkm | 1.3.0 | 114 |
| wso2-obkm | 1.4.0 | 130 |
| wso2-obkm | 1.5.0 | 120 |
| wso2is-km | 5.3.0 | 38 |
| wso2is-km | 5.5.0 | 51 |
| wso2is-km | 5.6.0 | 72 |
| wso2is-km | 5.7.0 | 122 |
| wso2is-km | 5.9.0 | 165 |
| wso2is-km | 5.10.0 | 312 |
| wso2am | 2.0.0 | 29 |
| wso2am | 2.1.0 | 39 |
| wso2am | 2.2.0 | 56 |
| wso2am | 2.5.0 | 83 |
| wso2am | 2.6.0 | 142 |
| wso2am | 3.0.0 | 162 |
| wso2am | 3.1.0 | 294 |
| wso2am | 3.2.0 | 384 |
| wso2am | 3.2.1 | 16 |
| wso2am | 4.0.0 | 305 |
| wso2am | 4.1.0 | 166 |
| wso2am | 4.2.0 | 101 |
| wso2am | 4.3.0 | 16 |
| wso2is | 5.2.0 | 32 |
| wso2is | 5.3.0 | 33 |
| wso2is | 5.4.0 | 32 |
| wso2is | 5.4.1 | 36 |
| wso2is | 5.5.0 | 50 |
| wso2is | 5.6.0 | 58 |
| wso2is | 5.7.0 | 123 |
| wso2is | 5.8.0 | 106 |
| wso2is | 5.9.0 | 157 |
| wso2is | 5.10.0 | 318 |
| wso2is | 5.11.0 | 365 |
| wso2is | 6.0.0 | 209 |
| wso2is | 6.1.0 | 188 |
| wso2is | 7.0.0 | 60 |
| wso2-obiam | 2.0.0 | 364 |
For All Users¶
If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s).
When required the following configuration could be added to the deployment.toml file to allow user self-signup. The allowed usernames list should contain the list of system user accounts which are allowed to invoke the UserInformationRecoveryService to initiate relevant API invocations.
[user_info_recovery_admin_service]
allowed_usernames = [
"user1",
"user2"
]
<IS_HOME>/repository/conf/identity/.
<AdminServices>
<UserInformationRecoveryService>
<AllowedUsers>
<Usernames>user1,user2</Usernames>
</AllowedUsers>
</UserInformationRecoveryService>
</AdminServices>
The following section is regarding APIM 2.x versions. If user self-registration is a requirement based on your business use case, you do not need to make any additional changes.
However, if user self-registration is not a requirement, to mitigate this vulnerability in APIM 2.x versions, even after applying this update, following additional configuration must be applied. This is because APIM 2.x versions utilize relevant SOAP admin services for the user self-signup flow.
- Browse to
/_system/governance/apimgt/applicationdata/sign-up-config.xmlvia Management Console, open it in edit mode and update below configuration to false to disable self signup in the store portal.<EnableSignup>false</EnableSignup>
- Restart the APIM server with the following system property set to
false.
sh wso2server.sh -DenableUserRegistrationAdminService=false
It is also important to note that both above configuration options must be applied to completely disable self signup. Configuration change mentioned in item 1 only disables UI components, and item 2 only disables relevant SOAP admin service.