CERT-In Advisory
CIAD-2022-0012
WSO2 Products Remote Code Execution Vulnerability
Original Issue Date: April 23, 2022
Severity Rating: Critical
Systems Affected
- WSO2 API Manager version 2.2.0 and above
- WSO2 Identity Server version 5.2.0 and above
- WSO2 Identity Server Analytics version 5.4.0, 5.4.1, 5.5.0, 5.6.0
- WSO2 Identity Server as Key Manager version 5.3.0 and above
- WSO2 Enterprise Integrator version 6.2.0 and above
Overview
A vulnerability has been reported in various WSO2 Products which could be exploited by an attacker to execute remote code on the targeted system.
Description
This vulnerability exists in various WSO2 products due to improper validation of user input. A remote attacker could exploit this vulnerability by uploading an arbitrary file to a user-controlled location of the server.
Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code on the targeted system.
Solution
- Upgrade to latest version of the WSO2 product.
- Users may also apply relevant fixes as mentioned in the below URLs
https://github.com/wso2/carbon-kernel/pull/3152
https://github.com/wso2/carbon-identity-framework/pull/3864
https://github.com/wso2-extensions/identity-carbon-auth-rest/pull/167
Vendor Information
WSO2
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738
References
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738
https://github.com/hakivvi/CVE-2022-29464
CVE Name
CVE-2022-29464
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|