Warning: Remote code execution vulnerability affecting various WSO2 products
CVE-2022-29464
Risks
This vulnerability was published by MITRE on April 18th, A technical write-up and Proof-Of-Concept exploit were released on April 20th. There are sources reporting that attackers are exploiting CVE-2022-29464 in the wild. The current attacks are considered as opportunistic, where the payload is very similar to the PoC code, with the intent to drop coin miners and web shells on multiple vulnerable targets.
Remark: Victim systems include both Windows and Linux installations.
The Centre for Cyber security Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
Description
The objective of this alert is to raise awareness about a remote code execution vulnerability in various WSO2 products.
WSO2 is a middleware vendor that sells open-source application program interface (API) management software. The company provides users with an enterprise platform that eases the integration of APIs, web services and applications. Customers can use WSO2 products to develop and reuse components as well as manage integrations on-premises and in the cloud.
The vulnerability originates in an unauthenticated unrestricted arbitrary file upload function which allows a remote unauthenticated attacker to gain remote code execution on a vulnerable WSO2 server after uploading a malicious JSP/War file with web shell capabilities.
Recommended Actions
Scope
Create an inventory that includes all the software from your organisation and check per entry if it's vulnerable.
Vulnerable WSO2 software:
- WSO2 API Manager 2.2.0 and above
- WSO2 Identity Server 5.2.0 and above
- WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, 5.6.0
- WSO2 Identity Server as Key Manager 5.3.0 and above
- WSO2 Enterprise Integrator 6.2.0 and above
- WSO2 Open Banking AM 1.4.0 and above
- WSO2 Open Banking KM 1.4.0 and above
Mitigate
If upgrading isn't possible, WSO provided on their website temporary mitigation steps per product.
Source: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738
Patch
If you are a WSO2 customer with a Support Subscription, please use WSO2 Updates to apply the fix.
WSO2 has provided temporary mitigations to the customers in January 2022 and delivered the fixes for all the supported product versions listed under the WSO2 Support Matrix ("available" and "deprecated" status) in February.
If you are an open-source user or using a product version that is EOL (End of License) :
You may migrate to the latest version of the product if the latest version is not listed under the affected products list. Otherwise, you may apply the relevant fixes to the product based on the public fixes as given below:
• https://github.com/wso2/carbon-kernel/pull/3152
• https://github.com/wso2/carbon-identity-framework/pull/3864
• https://github.com/wso2-extensions/identity-carbon-auth-rest/pull/167
Source: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738
Monitor/Detect
The CCB advises organisations to upscale monitoring and detection capabilities, to detect any related suspicious activity, ensuring a fast response in case of an intrusion.
- Inspect for recent uploaded malicious/unknown files such as web shells ( File-extension: .jsp and .class)
- Inspect for recent uploaded malicious/unknown war files in the webappsdirectory
- Examine the resources load of the server for coin miner activity (High CPU, High Memory usage)
- Examine the server’s http_access log as a possible source of malicious behavior
- Requests to /fileupload/toolsAny
- Requests to webappsdirectory