Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-29464: Security Advisory WSO2-2021-1738 - WSO2 Platform Security

Certain WSO2 products allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.

CVE
#vulnerability#git

Published: 1st April 2022

Version: 1.0.0

Severity: Critical

CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

AFFECTED PRODUCTS

WSO2 API Manager 2.2.0 and above
WSO2 Identity Server 5.2.0 and above
WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0
WSO2 Identity Server as Key Manager 5.3.0 and above
WSO2 Enterprise Integrator 6.2.0 and above

OVERVIEW

Unrestricted arbitrary file upload, and remote code to execution vulnerability.

DESCRIPTION

Due to improper validation of user input, a malicious actor could upload an arbitrary file to a user controlled location of the server. By leveraging the arbitrary file upload vulnerability, it is further possible to gain remote code execution on the server.

IMPACT

By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.

SOLUTION

You may migrate to the latest version of the product, if the latest version is not listed under the affected products list. Otherwise, you may apply the relevant fixes to the product based on the public fixes as given below:

  • https://github.com/wso2/carbon-kernel/pull/3152
  • https://github.com/wso2/carbon-identity-framework/pull/3864
  • https://github.com/wso2-extensions/identity-carbon-auth-rest/pull/167

Or else you may follow the temporary mitigation steps given below.

Note : The temporary mitigation steps will remove unnecessary endpoints. Further, we have tested the general product use cases after incorporating these fixes. However, please make sure to test your business use cases in development/test environments before proceeding to update the production environment.

Product Version

Temporary Mitigation Step(s)

WSO2 API Manager 2.6.0, 2.5.0, 2.2.0

WSO2 Identity Server 5.8.0, 5.7.0, 5.6.0, 5.5.0, 5.4.1, 5.4.0, 5.3.0, 5.2.0

WSO2 Identity Server as Key Manager 5.7.0, 5.6.0, 5.5.0, 5.3.0

WSO2 IS Analytics 5.6.0, 5.5.0, 5.4.1, 5.4.0

Remove all the mappings defined inside the FileUploadConfig tag in <product_home>/repository/conf/carbon.xml

WSO2 API Manager 4.0.0, 3.2.0, 3.1.0, 3.0.0

Add the following configuration to <product_home>/repository/conf/deployment.toml

[[resource.access_control]] context="(.*)/fileupload/resource(.*)" secure=false http_method = “all”

[[resource.access_control]] context="(.*)/fileupload/(.*)" secure=true http_method = “all” permissions = [“/permission/protected/”]

WSO2 Identity Server 5.11.0, 5.10.0, 5.9.0

WSO2 Identity Server as Key Manager 5.10.0, 5.9.0

Add the following configuration to <product_home>/repository/conf/deployment.toml

[[resource.access_control]] context="(.*)/fileupload/service(.*)" secure=false http_method = “all”

[[resource.access_control]] context="(.*)/fileupload/entitlement-policy(.*)" secure=false http_method = “all”

[[resource.access_control]] context="(.*)/fileupload/resource(.*)" secure=false http_method = “all”

[[resource.access_control]] context="(.*)/fileupload/(.*)" secure=true http_method = “all” permissions = [“/permission/protected/”]

WSO2 Enterprise Integrator 6.6.0, 6.5.0, 6.4.0, 6.3.0, 6.2.0

For EI profile remove the following mappings in the <product_home>/conf/carbon.xml file from the <FileUploadConfig> section.

For Business process / Broker and Analytics profiles apply the same change for carbon.xml file at the following locations respectively.

  • <product_home>/wso2/broker/conf/carbon.xml
  • <product_home>/wso2/business-process/conf/carbon.xml
  • <product_home>/wso2/analytics/conf/carbon.xml

<Mapping> <Actions> <Action>keystore</Action> <Action>certificate</Action> <Action>*</Action> </Actions> <Class>org.wso2.carbon.ui.transports.fileupload.AnyFileUploadExecutor</Class> </Mapping>

<Mapping> <Actions> <Action>jarZip</Action> </Actions> <Class>org.wso2.carbon.ui.transports.fileupload.JarZipUploadExecutor</Class> </Mapping>

<Mapping> <Actions> <Action>tools</Action> </Actions> <Class>org.wso2.carbon.ui.transports.fileupload.ToolsFileUploadExecutor</Class> </Mapping>

<Mapping> <Actions> <Action>toolsAny</Action> </Actions> <Class>org.wso2.carbon.ui.transports.fileupload.ToolsAnyFileUploadExecutor</Class> </Mapping>

Note: If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.

CREDITS

WSO2 thanks Anders Orange Tsai from DEVCORE for responsibly reporting the identified issue and working with us as we addressed it.

Related news

RHSA-2022:1418: Red Hat Security Advisory: kpatch-patch security update

An update is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4083: kernel: fget: check that the fd still exists after getting a ref to it * CVE-2022-0492: kernel: cgroups v1 release_agent feature may allow privilege escalation * CVE-2022-25636: kernel: heap out of bounds write in nf_dup_netdev.c

RHSA-2022:1417: Red Hat Security Advisory: kernel security update

An update for kernel is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-0466: kernel: use after free in eventpoll.c may lead to escalation of privilege * CVE-2021-0920: kernel: Use After Free in unix_gc() which could result in a local privilege escalation * CVE-2021-4155: kernel: xfs: raw block device data leak in XFS_IOC_ALLOCSP IOCTL * CVE-2022-0492: kernel: cgroups v1 release_agent feature may ...

RHSA-2022:1407: Red Hat Security Advisory: container-tools:2.0 security and bug fix update

An update for the container-tools:2.0 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27649: podman: Default inheritable capabilities for linux container should be empty * CVE-2022-27651: buildah: Default inheritable capabilities for linux container should be empty

RHSA-2022:1410: Red Hat Security Advisory: 389-ds:1.4 security and bug fix update

An update for the 389-ds:1.4 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4091: 389-ds-base: double free of the virtual attribute context in persistent search

CVE-2022-29315: CSV Injection in Acunetix version 13.0.201217092

Invicti Acunetix before 14 allows CSV injection via the Description field on the Add Targets page, if the Export CSV feature is used.

RHSA-2022:1413: Red Hat Security Advisory: kernel-rt security and bug fix update

An update for kernel-rt is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4083: kernel: fget: check that the fd still exists after getting a ref to it * CVE-2022-0492: kernel: cgroups v1 release_agent feature may allow privilege escalation * CVE-2022-25636: kernel: heap out of bounds write in nf_dup_netdev.c

RHSA-2022:1402: Red Hat Security Advisory: OpenShift Virtualization 2.6.10 RPMs security and bug fix update

Red Hat OpenShift Virtualization release 2.6.10 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-33195: golang: net: lookup functions may return invalid host names * CVE-2021-33197: golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty * CVE-2021-33198: golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs...

CVE-2022-27927: Microfinance Management System in PHP Free Source Code

A SQL injection vulnerability exists in Microfinance Management System 1.0 when MySQL is being used as the application database. An attacker can issue SQL commands to the MySQL database through the vulnerable course_code and/or customer_number parameter.

CVE-2021-43129: GitHub - Skotizo/CVE-2021-43129: Vulnerability in version 20.21.7 of D2L Learning Management System (LMS)

An Access Control vulnerability exists in Desire2Learn/D2L Learning Management System (LMS) 20.21.7 via the quizzing feature, which allows a remote malicious user to disable the Disable right click control.

RHSA-2022:1394: Red Hat Security Advisory: Red Hat Ceph Storage 3 Security and Bug Fix update

An update is now available for Red Hat Ceph Storage 3. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-20288: ceph: Unauthorized global_id reuse in cephx

RHSA-2022:1396: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.5.4 security update

The Migration Toolkit for Containers (MTC) 1.5.4 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-36221: golang: net/http/httputil: panic due to racy read of persistConn after handler panic

Swimlane Extends Cloud-Based Security Automation into APJ Amid Momentous Growth in Region

Swimlane’s Asia-Pacific presence grows 173%, highlighting rising demand for low-code security automation.

Security-as-Code Gains More Support, but Still Nascent

Google and other firms are adding security configuration to software so cloud applications and services have well-defined security settings — a key component of DevSecOps.

CVE-2022-29457: ADSelfService Plus Release Notes

Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.

Why So Many Security Experts Are Concerned About Low-Code/No-Code Apps

IT departments must account for the business impact and security risks such applications introduce.

CVE-2021-42781: Heap buffer overflow in pkcs15-oberthur.c

Heap buffer overflow issues were found in Opensc before version 0.22.0 in pkcs15-oberthur.c that could potentially crash programs using the library.

CVE-2020-13567: TALOS-2020-1179 || Cisco Talos Intelligence Group

Multiple SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability.

CVE-2020-13495: TALOS-2020-1104 || Cisco Talos Intelligence Group

An exploitable vulnerability exists in the way Pixar OpenUSD 20.05 handles file offsets in binary USD files. A specially crafted malformed file can trigger an arbitrary out-of-bounds memory access that could lead to the disclosure of sensitive information. This vulnerability could be used to bypass mitigations and aid additional exploitation. To trigger this vulnerability, the victim needs to access an attacker-provided file.

CVE-2020-6099: TALOS-2020-1032 || Cisco Talos Intelligence Group

An exploitable code execution vulnerability exists in the file format parsing functionality of Graphisoft BIMx Desktop Viewer 2019.2.2328. A specially crafted file can cause a heap buffer overflow resulting in a code execution. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2021-3681: Secrets leakage vulnerability with ansible collections and ansible galaxy

A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in "galaxy.yml" include files in the ``.tar.gz`` file. This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ``ansible`` or ``ansible-playbook`` verbose output without the``no_log`` redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets.

CVE-2021-20324: session fixation variation when using Undertow FORM authentication

A flaw was found in WildFly Elytron. A variation to the use of a session fixation exploit when using Undertow was found despite Undertow switching the session ID after authentication.

CVE-2021-3624: #984761 - dcraw: CVE-2021-3624: buffer-overflow caused by integer-overflow in foveon_load_camf()

There is an integer overflow vulnerability in dcraw. When the victim runs dcraw with a maliciously crafted X3F input image, arbitrary code may be executed in the victim's system.

CVE-2021-42778: Heap double free in sc_pkcs15_free_tokeninfo

A heap double free issue was found in Opensc before version 0.22.0 in sc_pkcs15_free_tokeninfo.

Strength in Unity: Why It's Especially Important to Strengthen Your Supply Chain Now

The ongoing war in Ukraine means that defenses are only as good and as strong as those with whom we partner.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907