Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-29464: Security Advisory WSO2-2021-1738 - WSO2 Platform Security

Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a …/…/…/…/repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.

CVE
#vulnerability#web#git#rce#auth

Published: 1st April 2022

Updated: 29th April 2022

Version: 1.3.0

Severity: Critical

CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE-ID: CVE-2022-29464

AFFECTED PRODUCTS - REFER TO PATCH LIST BELOW

WSO2 API Manager 2.2.0, up to 4.0.0
WSO2 Identity Server 5.2.0, up to 5.11.0 WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0
WSO2 Identity Server as Key Manager 5.3.0, up to 5.11.0
WSO2 Enterprise Integrator 6.2.0, up to 6.6.0
WSO2 Open Banking AM 1.4.0, up to 2.0.0 WSO2 Open Banking KM 1.4.0, up to 2.0.0

WSO2 proactively issues security patches for all the supported product versions listed under WSO2 Support Matrix (“available” and “deprecated” status). The vulnerability may affect older product versions that are in extended and discontinued statuses as well.

OVERVIEW

Unrestricted arbitrary file upload, and remote code to execution vulnerability.

DESCRIPTION

Due to improper validation of user input, a malicious actor could upload an arbitrary file to a user controlled location of the server. By leveraging the arbitrary file upload vulnerability, it is further possible to gain remote code execution on the server.

IMPACT

By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.

SOLUTION

WSO2 has provided temporary mitigations to the customers in January 2022 and delivered the fixes for all the supported product versions listed under the WSO2 Support Matrix (“available” and “deprecated” status) in February. If you are a WSO2 customer with a Support Subscription, please use WSO2 Updates to apply the fix.

The update levels are available in the below table. You should update your product to the specified update level or a higher update level to apply the fix

Product Name

Product Version

Update Level

WUM Timestamp

WSO2 API Manager

2.2.0

43

1642181410159

WSO2 API Manager

2.5.0

44

1642690416146

WSO2 API Manager

2.6.0

72

1642690636270

WSO2 API Manager

3.0.0

70

1642180160123

WSO2 API Manager

3.1.0

107

1643038989258

WSO2 API Manager

3.2.0

122

1643038989258

WSO2 API Manager

4.0.0

64

N/A

WSO2 API Manager Analytics

2.2.0

25

1642181410159

WSO2 API Manager Analytics

2.5.0

23

1642690416146

WSO2 Identity Server

5.2.0

22

1642180025435

WSO2 Identity Server

5.4.1

22

1642180082946

WSO2 Identity Server

5.5.0

34

1642181410159

WSO2 Identity Server

5.6.0

27

1642690416146

WSO2 Identity Server

5.7.0

48

1642690636270

WSO2 Identity Server

5.10.0

112

1643038989258

WSO2 Identity Server

5.8.0

39

1642181241778

WSO2 Identity Server

5.9.0

55

1642601723766

WSO2 Identity Server

5.11.0

106

N/A

WSO2 Identity Server as Key Manager

5.5.0

34

1642181410159

WSO2 Identity Server as Key Manager

5.6.0

29

1642690416146

WSO2 Identity Server as Key Manager

5.7.0

55

1642690636270

WSO2 Identity Server as Key Manager

5.9.0

64

1642601723766

WSO2 Identity Server as Key Manager

5.10.0

115

1643038989258

WSO2 Identity Server Analytics

5.4.1

16

1642180082946

WSO2 Identity Server Analytics

5.5.0

25

1642181410159

WSO2 Identity Server Analytics

5.6.0

23

1642690416146

WSO2 Enterprise Integrator

6.2.0

42

1642179902897

WSO2 Enterprise Integrator

6.3.0

37

1642599930405

WSO2 Enterprise Integrator

6.4.0

58

1642601723766

WSO2 Enterprise Integrator

6.5.0

55

1642599975104

WSO2 Enterprise Integrator

6.6.0

79

1642599885111

WSO2 Open Banking AM

1.3.0

76

1643038989258

WSO2 Open Banking AM

1.4.0

75

1643038989258

WSO2 Open Banking AM

1.5.0

75

1643038989258

WSO2 Open Banking AM

2.0.0

119

1643038989258

WSO2 Open Banking KM

1.3.0

60

1643038989258

WSO2 Open Banking KM

1.4.0

61

1643038989258

WSO2 Open Banking KM

1.5.0

58

1643038989258

WSO2 Open Banking IAM

2.0.0

127

1643038989258

If you are an open-source user or using a product version that is EOL (End of License) :

You may migrate to the latest version of the product if the latest version is not listed under the list of the affected products. Otherwise, you may apply the relevant fixes to the product based on the public fixes as given below:

  • https://github.com/wso2/carbon-kernel/pull/3152
  • https://github.com/wso2/carbon-identity-framework/pull/3864
  • https://github.com/wso2-extensions/identity-carbon-auth-rest/pull/167

Or else you may follow the mitigation steps given below.

Note : The temporary mitigation steps will remove unnecessary endpoints. Further, we have tested the general product use cases after incorporating these fixes. However, please make sure to test your business use cases in development/test environments before proceeding to update the production environment.

Product Version

Temporary Mitigation Step(s)

WSO2 API Manager 2.6.0, 2.5.0, 2.2.0, and older versions

WSO2 Identity Server 5.8.0, 5.7.0, 5.6.0, 5.5.0, 5.4.1, 5.4.0, 5.3.0, 5.2.0, and older versions

WSO2 Identity Server as Key Manager 5.7.0, 5.6.0, 5.5.0, 5.3.0, and older versions

WSO2 IS Analytics 5.6.0, 5.5.0, 5.4.1, 5.4.0, and older versions

WSO2 OBAM 1.5.0 and older versions

WSO2 OBKM 1.5.0 and older versions

Remove all the mappings defined inside the FileUploadConfig tag in <product_home>/repository/conf/carbon.xml

WSO2 API Manager 4.0.0, 3.2.0, 3.1.0, 3.0.0

Add the following configuration to <product_home>/repository/conf/deployment.toml

[[resource.access_control]] context="(.*)/fileupload/resource(.*)" secure=false http_method = “all”

[[resource.access_control]] context="(.*)/fileupload/(.*)" secure=true http_method = “all” permissions = [“/permission/protected/”]

WSO2 Open Banking AM 2.0.0

Add the following configuration to <product_home>/repository/conf/deployment.toml

[[resource.access_control]] context="(.*)/fileupload/csv(.*)" secure=false http_method = “all”

[[resource.access_control]] context="(.*)/fileupload/resource(.*)" secure=false http_method = “all”

[[resource.access_control]] context="(.*)/fileupload/(.*)" secure=true http_method = “all” permissions = [“/permission/protected/”]

WSO2 Identity Server 5.11.0, 5.10.0, 5.9.0

WSO2 Identity Server as Key Manager 5.10.0, 5.9.0

WSO2 Open Banking IAM 2.0.0

Add the following configuration to <product_home>/repository/conf/deployment.toml

[[resource.access_control]] context="(.*)/fileupload/service(.*)" secure=false http_method = “all”

[[resource.access_control]] context="(.*)/fileupload/entitlement-policy(.*)" secure=false http_method = “all”

[[resource.access_control]] context="(.*)/fileupload/resource(.*)" secure=false http_method = “all”

[[resource.access_control]] context="(.*)/fileupload/(.*)" secure=true http_method = “all” permissions = [“/permission/protected/”]

WSO2 Enterprise Integrator 6.6.0, 6.5.0, 6.4.0, 6.3.0, 6.2.0, and older versions

For EI profile remove the following mappings in the <product_home>/conf/carbon.xml file from the <FileUploadConfig> section.

For Business process / Broker and Analytics profiles apply the same change for carbon.xml file at the following locations respectively.

  • <product_home>/wso2/broker/conf/carbon.xml
  • <product_home>/wso2/business-process/conf/carbon.xml
  • <product_home>/wso2/analytics/conf/carbon.xml

<Mapping> <Actions> <Action>keystore</Action> <Action>certificate</Action> <Action>*</Action> </Actions> <Class>org.wso2.carbon.ui.transports.fileupload.AnyFileUploadExecutor</Class> </Mapping>

<Mapping> <Actions> <Action>jarZip</Action> </Actions> <Class>org.wso2.carbon.ui.transports.fileupload.JarZipUploadExecutor</Class> </Mapping>

<Mapping> <Actions> <Action>tools</Action> </Actions> <Class>org.wso2.carbon.ui.transports.fileupload.ToolsFileUploadExecutor</Class> </Mapping>

<Mapping> <Actions> <Action>toolsAny</Action> </Actions> <Class>org.wso2.carbon.ui.transports.fileupload.ToolsAnyFileUploadExecutor</Class> </Mapping>

Other unsupported products/versions based on WSO2 Carbon Kernel 4 versions

Remove all the mappings defined inside the FileUploadConfig tag in <product_home>/repository/conf/carbon.xml

CREDITS

WSO2 thanks Orange Tsai from DEVCORE for responsibly reporting the identified issue and working with us as we addressed it.

Related news

Chinese Hackers Targeting South American Diplomatic Entities with ShadowPad

Microsoft on Monday attributed a China-based cyber espionage actor to a set of attacks targeting diplomatic entities in South America. The tech giant's Security Intelligence team is tracking the cluster under the emerging moniker DEV-0147, describing the activity as an "expansion of the group's data exfiltration operations that traditionally targeted government agencies and think tanks in Asia

CVE-2022-29464: security - CVE-2022-29464 :: WSO2 Unrestricted arbitrary file upload, and remote code to execution vulnerability.

Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907