Security Advisory WSO2-2021-1738

Published: 1st April 2022

Updated: 29th April 2022

Version: 1.3.0

Severity: Critical

CVSS Score:  9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE-ID:  CVE-2022-29464

AFFECTED PRODUCTS - REFER TO PATCH LIST BELOW

WSO2 API Manager 2.2.0, up to 4.0.0
WSO2 Identity Server 5.2.0, up to 5.11.0 
WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0
WSO2 Identity Server as Key Manager 5.3.0, up to 5.11.0
WSO2 Enterprise Integrator 6.2.0, up to 6.6.0
WSO2 Open Banking AM 1.4.0, up to 2.0.0 
WSO2 Open Banking KM 1.4.0, up to 2.0.0

OVERVIEW

Unrestricted arbitrary file upload, and remote code to execution vulnerability.

DESCRIPTION

Due to improper validation of user input, a malicious actor could upload an arbitrary file to a user controlled location of the server. By leveraging the arbitrary file upload vulnerability, it is further possible to gain remote code execution on the server.

IMPACT

By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload.

SOLUTION

WSO2 has provided temporary mitigations to the customers in January 2022 and delivered the fixes for all the supported product versions listed under the WSO2 Support Matrix ("available" and "deprecated" status) in February. If you are a WSO2 customer with a Support Subscription, please use WSO2 Updates to apply the fix.

The update levels are available in the below table. You should update your product to the specified update level or a higher update level to apply the fix

If you are an open-source user or using a product version that is EOL (End of License) :

You may migrate to the latest version of the product if the latest version is not listed under the list of the affected products. Otherwise, you may apply the relevant fixes to the product based on the public fixes as given below:

• https://github.com/wso2/carbon-kernel/pull/3152
• https://github.com/wso2/carbon-identity-framework/pull/3864
• https://github.com/wso2-extensions/identity-carbon-auth-rest/pull/167

Or else you may follow the mitigation steps given below.

[[resource.access_control]]
context="(.*)/fileupload/resource(.*)"
secure=false
http_method = "all"

[[resource.access_control]]
context="(.*)/fileupload/(.*)"
secure=true
http_method = "all"
permissions = ["/permission/protected/"]

[[resource.access_control]]
context="(.*)/fileupload/csv(.*)"
secure=false
http_method = "all"

[[resource.access_control]]
context="(.*)/fileupload/resource(.*)"
secure=false
http_method = "all"

[[resource.access_control]]
context="(.*)/fileupload/(.*)"
secure=true
http_method = "all"
permissions = ["/permission/protected/"]

[[resource.access_control]]
context="(.*)/fileupload/service(.*)"
secure=false
http_method = "all"

[[resource.access_control]]
context="(.*)/fileupload/entitlement-policy(.*)"
secure=false
http_method = "all"

[[resource.access_control]]
context="(.*)/fileupload/resource(.*)"
secure=false
http_method = "all"

[[resource.access_control]]
context="(.*)/fileupload/(.*)"
secure=true
http_method = "all"
permissions = ["/permission/protected/"]

<Mapping>
    <Actions>
        <Action>keystore</Action>
        <Action>certificate</Action>
        <Action>*</Action>
    </Actions>
    <Class>org.wso2.carbon.ui.transports.fileupload.AnyFileUploadExecutor</Class>
</Mapping>

<Mapping>
    <Actions>
        <Action>jarZip</Action>
    </Actions>
    <Class>org.wso2.carbon.ui.transports.fileupload.JarZipUploadExecutor</Class>
</Mapping>

<Mapping>
    <Actions>
        <Action>tools</Action>
    </Actions>
    <Class>org.wso2.carbon.ui.transports.fileupload.ToolsFileUploadExecutor</Class>
</Mapping>

<Mapping>
    <Actions>
        <Action>toolsAny</Action>
    </Actions>
    <Class>org.wso2.carbon.ui.transports.fileupload.ToolsAnyFileUploadExecutor</Class>
</Mapping>

CREDITS

WSO2 thanks Orange Tsai from DEVCORE for responsibly reporting the identified issue and working with us as we addressed it.