Number: AL22-005
Date: 27 April 2022

Audience

This Alert is intended for IT professionals and managers of notified organizations.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security (“Cyber Centre”) is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Overview

On 1 April 2022, WSO2 disclosed a vulnerability Footnote 1, tracked as CVE-2022-29464 Footnote 2, that impacts a line of products which when exploited would allow remote code execution due to improper validation of user input.

On 25 April 2022, CISA disclosed that the vulnerability was being actively exploited Footnote 3. The Cyber Centre is also aware that active exploitation has been reported within Canada.

Details

On 1 April 2022, WSO2 disclosed vulnerability CVE-2022-29464 Footnote 1 Footnote 2 that allows remote code execution on multiple products. Rated as a CVSS 9.8, the vulnerability is due to an improper validation of user inputs. Exploitation results in the successful upload of an arbitrary file to the affected system which can then be remotely executed by an unauthenticated user for further exploitation.

The vulnerability has been identified as affecting the following products:

  • WSO2 API Manager 2.2.0 and above
  • WSO2 Identity Server 5.2.0 and above
  • WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0
  • WSO2 Identity Server as Key Manager 5.3.0 and above
  • WSO2 Enterprise Integrator 6.2.0 and above
  • WSO2 Open Banking AM 1.4.0 and above
  • WSO2 Open Banking KM 1.4.0 and above

Suggested action

WSO2 has provided temporary mitigations and delivered the fixes for all the supported product versions. All customers with a support subscription should review the WSO2 Updates and apply the recommended fixes Footnote 4.

For organizations who are using open-source versions, end-of-license versions or who are not able to install the fixes, WSO2 recommends mitigations to protect applications and systems affected by these vulnerabilities. A summary of these mitigations from the WSO2 security advisory Footnote 1 are:

  • For API Manager, Identity Server, Identity Server as Key Manager, IS Analytics
    • Remove all the mappings defined inside the FileUploadConfig tag in <product_home>/repository/conf/carbon.xml
  • For API Manager
    • Add the referenced configuration to <product_home>/repository/conf/deployment.toml
  • For Identity Server, Identity Server as Key Manager
    • Add the referenced configuration to <product_home>/repository/conf/deployment.toml
  • For Enterprise Integrator
    • For EI profile remove the following mappings in the <product_home>/conf/carbon.xml file from the <FileUploadConfig> section.
    • For Business process / Broker and Analytics profiles apply the same change for carbon.xml file at the following locations respectively.
  • For other unsupported products/versions based on WSO2 Carbon Kernel 4 versions
    • Remove all the mappings defined inside the FileUploadConfig tag in <product_home>/repository/conf/carbon.xml

Proofpoint has released a Suricata Intrusion Detection System (IDS) signature to assist in the identification of exploitation attempts Footnote 5.



Source link