Alert - WSO2 Remote code execution vulnerabilities

Number: AL22-005
Date: 27 April 2022

Audience

This Alert is intended for IT professionals and managers of notified organizations.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat Cyber threatA threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries. that may impact cyber information assets, and to provide additional detection DetectionThe monitoring and analyzing of system events in order to identify unauthorized attempts to access system resources. and mitigation advice to recipients. The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Overview

On 1 April 2022, WSO2 disclosed a vulnerability VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations. ^{Footnote 1}, tracked as CVE-2022-29464 ^{Footnote 2}, that impacts a line of products which when exploited would allow remote code execution due to improper validation of user input.

On 25 April 2022, CISA disclosed that the vulnerability was being actively exploited ^{Footnote 3}. The Cyber Centre is also aware that active exploitation has been reported within Canada.

Details

On 1 April 2022, WSO2 disclosed vulnerability CVE-2022-29464 ^{Footnote 1 Footnote 2} that allows remote code execution on multiple products. Rated as a CVSS 9.8, the vulnerability is due to an improper validation of user inputs. Exploitation results in the successful upload of an arbitrary file to the affected system which can then be remotely executed by an unauthenticated user for further exploitation.

The vulnerability has been identified as affecting the following products:

• WSO2 API Manager 2.2.0 and above
• WSO2 Identity Server 5.2.0 and above
• WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0
• WSO2 Identity Server as Key Manager 5.3.0 and above
• WSO2 Enterprise Integrator 6.2.0 and above
• WSO2 Open Banking AM 1.4.0 and above
• WSO2 Open Banking KM 1.4.0 and above

Suggested action

WSO2 has provided temporary mitigations and delivered the fixes for all the supported product versions. All customers with a support subscription should review the WSO2 Updates and apply the recommended fixes ^{Footnote 4}.

For organizations who are using open-source versions, end-of-license versions or who are not able to install the fixes, WSO2 recommends mitigations to protect applications and systems affected by these vulnerabilities. A summary of these mitigations from the WSO2 security advisory ^{Footnote 1} are:

• For API Manager, Identity Server, Identity Server as Key Manager, IS Analytics
  • Remove all the mappings defined inside the FileUploadConfig tag in <product_home>/repository/conf/carbon.xml
• For API Manager
  • Add the referenced configuration to <product_home>/repository/conf/deployment.toml
• For Identity Server, Identity Server as Key Manager
  • Add the referenced configuration to <product_home>/repository/conf/deployment.toml
• For Enterprise Integrator
  • For EI profile remove the following mappings in the <product_home>/conf/carbon.xml file from the <FileUploadConfig> section.
  • For Business process / Broker and Analytics profiles apply the same change for carbon.xml file at the following locations respectively.
• For other unsupported products/versions based on WSO2 Carbon Kernel 4 versions
  • Remove all the mappings defined inside the FileUploadConfig tag in <product_home>/repository/conf/carbon.xml

Proofpoint has released a Suricata Intrusion Detection Intrusion detectionA security service that monitors and analyzes network or system events to warn of unauthorized access attempts. The findings are provided in real-time (or near real-time). System (IDS) signature to assist in the identification of exploitation attempts ^{Footnote 5}.