WSO2 Releases Patches for Vulnerabilities in API Manager, Identity Server, and Other Products

PUBLISHED:
23 June 2023

WSO2 Releases Patches for High-Risk Broken Access Control and SQL Injection Vulnerabilities in API Manager, Identity Server, and Other Products

WSO2, a leading provider of open-source API management and identity and access management (IAM) solutions, has issued four security advisories, WSO2-2022-2177, WSO2-2022-2182, WSO2-2022-2023, and WSO2-2022-2101. These advisories detail a series of vulnerabilities affecting WSO2 API Manager, Identity Server, and other related products.

The most severe among these is outlined in WSO2-2022-2177. Rated as a critical vulnerability with a CVSS score of 9.4, it involves a broken access control vulnerability affecting API endpoints associated with notification-based password recovery. If exploited, a malicious authenticated actor could impersonate and authenticate as a different targeted user, including administrators, assuming they have knowledge of the administrator’s username.

The second advisory, WSO2-2022-2182, has been given a high severity rating, with a CVSS score of 8.3. This highlights an SQL Injection vulnerability in the OAuth2 endpoint. To exploit this vulnerability, a malicious actor would need to be authenticated already.

WSO2-2022-2023 reveals a medium-severity issue (CVSS score: 5.4) related to access tokens. Specifically, it has been found that access tokens are not completely revoked from disabled or locked users when these users have authorization to access multiple client applications.

Lastly, the advisory WSO2-2022-2101 flags a low-severity vulnerability (CVSS score: 2.3) where identity claim data are retrieved from the user store if the identity data store does not have a value for the claim. This occurs when the JDBCIdentityDataStore is configured as the Identity data store.

Affected Products

WSO2-2022-2177 – Broken Access Control Vulnerability

• API Manager 3.0.0
• Default profile (all-in-one)
• API Manager 3.1.0, 3.2.0 limited to the following profiles:
• Default profile (all-in-one)
• Api-devportal profile
• Api-key-manager profile
• API Manager 4.0.0, 4.1.0 limited to the following profiles:
• Default profile (all-in-one)
• Control-plane profile
• WSO2 Identity Server 5.3.0, 5.4.0, 5.4.1, 5.5.0, 5.6.0, 5.7.0, 5.8.0, 5.9.0, 5.10.0, 5.11.0, 6.0.0
• WSO2 Identity Server as Key Manager 5.3.0, 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0
• WSO2 Open Banking AM 1.3.0, 1.4.0, 1.5.0, 2.0.0, 3.0.0
• WSO2 Open Banking IS-KM 1.3.0, 1.4.0, 1.5.0
• WSO2 Open Banking IAM 2.0.0, 3.0.0

WSO2-2022-2182 – SQL Injection Vulnerability

• API Manager 3.1.0, 3.2.0 limited to the following profiles:
• Default profile (all-in-one)
• Api-devportal profile
• Api-key-manager profile
• Api-publisher profile
• API Manager 4.0.0, 4.1.0 limited to the following profiles:
• Default profile (all-in-one)
• Control-plane profile
• WSO2 Identity Server 5.10.0, 5.11.0
• WSO2 Identity Server as Key Manager 5.10.0
• WSO2 Open Banking AM 2.0.0, 3.0.0
• WSO2 Open Banking IAM 2.0.0, 3.0.0

WSO2-2022-2023 – Access Tokens Revoke Vulnerability

• WSO2 API Manager : 4.1.0 , 4.0.0 , 3.2.0 , 3.1.0 , 3.0.0
• WSO2 IS as Key Manager : 5.10.0 , 5.9.0
• WSO2 Identity Server : 5.11.0 , 5.10.0 , 5.9.0

WSO2-2022-2101 – Identity Data Store Value Vulnerability

• WSO2 API Manager : 4.1.0 , 4.0.0 , 3.2.0 , 3.1.0 , 3.0.0
• WSO2 IS as Key Manager : 5.10.0 , 5.9.0
• WSO2 Identity Server : 6.0.0 , 5.11.0 , 5.10.0 , 5.9.0 , 5.8.0

Note: WSO2 releases security patches for all product versions listed in the WSO2 Support Matrix, encompassing both available and deprecated statuses. Be aware that these vulnerabilities may potentially affect older product versions that are now in extended or discontinued statuses.

Mitigation

WSO2 has issued security updates as outlined in the advisories. TechCERT strongly recommends that all administrators of affected systems carefully review these advisories and promptly apply the necessary updates.

More Information

• Security Advisory WSO2-2022-2177 – https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2023/WSO2-2022-2177/
• Security Advisory WSO2-2022-2023 – https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2023/WSO2-2022-2023/
• Security Advisory WSO2-2022-2101 – https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2023/WSO2-2022-2101/
• Security Advisory WSO2-2022-2182 – https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2023/WSO2-2022-2182/