Critical Vulnerability Reported by WSO2

April 26, 2022

Dor Dankner

Post Featured Image

Well known open-source technology provider, WSO2, recently reported a critical vulnerability that would allow for remote code execution by cybercriminals. Known as CVE-2022-29464, the vulnerability received a 9.8 CVSS score and has been added to CISA’s Known Exploited Vulnerabilities Catalog. According to the company’s security advisory, “due to improper validation of user input, a malicious actor could upload an arbitrary file to a user controlled location of the server. By leveraging the arbitrary file upload vulnerability, it is further possible to gain remote code execution on the server.” 

The vulnerability has raised concerns from industry leaders as many of WSO2’s products are used by Fortune 500 companies. The advisory noted that WSO2’s API Manager, Identity Server, Enterprise Integrator, and Open Banking products were among those impacted by the threat. If exploited, hackers could gain access to sensitive data, cause a denial of service, and even gain full control over your APIs by using this vulnerability on your API Gateway. Ultimately compromising the integrity, reliability, and privacy of your APIs.

As noted in the security advisory, this vulnerability may affect the following products:

  • WSO2 API Manager 2.2.0, up to 4.0.0
  • WSO2 Identity Server 5.2.0, up to 5.11.0 
  • WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0
  • WSO2 Identity Server as Key Manager 5.3.0, up to 5.11.0
  • WSO2 Enterprise Integrator 6.2.0, up to 6.6.0
  • WSO2 Open Banking AM 1.4.0, up to 2.0.0 
  • WSO2 Open Banking KM 1.4.0, up to 2.0.0

We recommend updating your systems to the latest version and checking your webApp directory for any suspicious or new JSP files. If you’re a Noname Security customer, our API Security Platform can detect changes or misconfigurations in your APIs that may have been caused by an attacker. We can identify anomalies in the APIs’ behavior based on historical traffic, the current security posture, and by having an understanding of your business logic.

Noname Security Threat Adversary 

Date Issued

April 26, 2022

Threat Name

CVE-2022-29464

Description

A recent vulnerability in the WSO2 platform allows unauthenticated attackers to upload arbitrary files, which could lead to code execution. An attacker can exploit this vulnerability to gain access to sensitive data, cause a denial of service, and even gain full control over your APIs by using this vulnerability on your API Gateway. This vulnerability can compromise the integrity, reliability, and privacy of your APIs.

Product / Releases impacted

This vulnerability affects many WSO2 products including:

  • WSO2 API Manager 2.2.0 and above
  • WSO2 Identity Server 5.2.0 and above
  • WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0
  • WSO2 Identity Server as Key Manager 5.3.0 and above
  • WSO2 Enterprise Integrator 6.2.0 and above

Noname Security Detection

Any abuse to the APIs based on this attack will be detected by the Noname Platform, which identifies anomalies in the APIs’ behavior based on historical traffic, the current security posture, and an understanding of the customer’s business logic.

Recommendation

We recommend updating your systems to the latest version and checking your webApp directory for any suspicious or new JSP files. The Noname API Security Platform can detect changes or misconfigurations in your APIs that may have been caused by an attacker.

Technical information

  • Unauthenticated API for file uploads: /fileupload/*
  • The part after fileupload is the name of the handler that will handle the file ( jarZip, dbs, tools, toolsAny)
  • ToolsAny is used by the attacker because:
    • No check for extension
    • Allows directory traversal in file name
  • Used the API to upload JSP file and placing him under baseApp directory

Resources