A Critical Unauthenticated Remote Code Execution (RCE) Flaw Found in WSO2 API Manager, Identity Server & Enterprise Integrator

PUBLISHED:
21 April 2022

Remote Code Execution (RCE) Flaw Found in WSO2 API Manager, Identity Server & Enterprise Integrator

A Critical Unauthenticated Remote Code Execution (RCE) through an arbitrary file upload was found in the management console of WSO2 API Manager, Identity Server, Enterprise Integrator. The vulnerability has a CVSSv3 score of 9.8 out of 10, which indicates the issue is critical. The flaw is assigned with CVE-2022-29464 & WSO2 Security Advisory WSO2-2021-1738. Proof of Concept of exploits is available for the vulnerability. By leveraging the vulnerability, an unauthenticated malicious attacker may perform a remote code execution through arbitrary file upload and perform a complete server/system take over.

Affected Versions

• WSO2 API Manager 2.2.0 and above
• WSO2 Identity Server 5.2.0 and above
• WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0
• WSO2 Identity Server as Key Manager 5.3.0 and above
• WSO2 Enterprise Integrator 6.2.0 and above

Mitigation

Apply the security updates released by WSO2 or migrate to the latest version of the product. Additionally, WSO2 has released temporary mitigations which is available in Security Advisory WSO2-2021-1738.

More Information

• Security Advisory WSO2-2021-1738 – https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738
• Detailed Guide of Root Cause – https://github.com/hakivvi/CVE-2022-29464