DIVD-2022-00026 - WSO2 Remote Code Executions - CVE-2022-29464

Our reference	DIVD-2022-00026
Case lead	Victor Pasman
Author	Pepijn van der Stap
Researcher(s)	Sjors Roelfzema Pepijn van der Stap
CVE(s)	CVE-2022-29464
Product	WSO2 API Manager 2.2.0 and above through 4.0.0; - WSO2 Identity Server 5.2.0 and above through 5.11.0; - WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; - WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; - WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.
Versions	multiple, see products heading!
Recommendation	If you received a notification of a vulnerability, patch your system with the information provided in this notification.
Patch status	Available
Status	Closed
Last modified	20 Nov 2022 15:02

Summary

Due to improper validation of user input, a malicious actor could upload an arbitrary file to a user controlled location of the server. By leveraging the arbitrary file upload vulnerability, it is further possible to gain remote code execution on the server.

Products

| Product Name                        | Product Version | Update Level | WUM Timestamp |
|-------------------------------------|-----------------|:------------:|:-------------:|
| WSO2 API Manager                    |           2.2.0 |           43 | 1642181410159 |
| WSO2 API Manager                    |           2.5.0 |           44 | 1642690416146 |   
| WSO2 API Manager                    |           2.6.0 |           72 | 1642690636270 |   
| WSO2 API Manager                    |           3.0.0 |           70 | 1642180160123 |   
| WSO2 API Manager                    |           3.1.0 |          107 | 1643038989258 |   
| WSO2 API Manager                    |           3.2.0 |          122 | 1643038989258 |   
| WSO2 API Manager                    |           4.0.0 |           64 |           N/A |   
| WSO2 API Manager Analytics          |           2.2.0 |           25 | 1642181410159 |   
| WSO2 API Manager Analytics          |           2.5.0 |           23 | 1642690416146 |   
| WSO2 Identity Server                |           5.2.0 |           22 | 1642180025435 |   
| WSO2 Identity Server                |           5.4.1 |           22 | 1642180082946 |   
| WSO2 Identity Server                |           5.5.0 |           34 | 1642181410159 |   
| WSO2 Identity Server                |           5.6.0 |           27 | 1642690416146 |   
| WSO2 Identity Server                |           5.7.0 |           48 | 1642690636270 |   
| WSO2 Identity Server                |          5.10.0 |          112 | 1643038989258 |   
| WSO2 Identity Server                |           5.8.0 |           39 | 1642181241778 |   
| WSO2 Identity Server                |           5.9.0 |           55 | 1642601723766 |   
| WSO2 Identity Server                |          5.11.0 |          106 |           N/A |   
| WSO2 Identity Server as Key Manager |           5.5.0 |           34 | 1642181410159 |   
| WSO2 Identity Server as Key Manager |           5.6.0 |           23 | 1642690416146 |   
| WSO2 Identity Server as Key Manager |           5.7.0 |           55 | 1642690636270 |   
| WSO2 Identity Server as Key Manager |           5.9.0 |           64 | 1642601723766 |   
| WSO2 Identity Server as Key Manager |          5.10.0 |          115 | 1643038989258 |   
| WSO2 Identity Server Analytics      |           5.4.1 |           16 | 1642180082946 |   
| WSO2 Identity Server Analytics      |           5.5.0 |           25 | 1642181410159 |   
| WSO2 Identity Server Analytics      |           5.6.0 |           29 | 1642690416146 |
| WSO2 Enterprise Integrator          |           6.2.0 |           42 | 1642179902897 |   
| WSO2 Enterprise Integrator          |           6.3.0 |           37 | 1642599930405 |
| WSO2 Enterprise Integrator          |           6.4.0 |           58 | 1642601723766 |
| WSO2 Enterprise Integrator          |           6.5.0 |           55 | 1642599975104 |   
| WSO2 Enterprise Integrator          |           6.6.0 |           79 | 1642599885111 |   

Impact

By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload (.WAR file), or upload a jsp webshell.

What you can do

We recommend you to remediate the vulnerability by following WSO2’s advisory
If remediation is not possible, take the instance off the public internet.
Inspect your installation for web shells (.jsp and .class) by inspecting the logs, e.g. for requests to /fileupload. It is also possible that attackers have deployed a .WAR file, so you might want to check the wso2carbon log file as well.

What we are doing

DIVD is currently ensuring that the owners of vulnerable systems are being notified. We do this by scanning for vulnerable hosts, verifying the vulnerability and notifying the owners of these systems. If you receive an email from us regarding this case, the vulnerability has been confirmed.

Timeline

Date	Description
24 Apr 2022	DIVD starts investigating the scope and impact of the vulnerability.
24 Apr 2022	First version of this case file.
15 May 2022	Notified about 450 vulnerable hosts.
01 Jul 2022	Notified 134 host that were still vulnerable.
19 Nov 2022	Sent a final reminder to the 53 hosts that are still vulnerable.
20 Nov 2022	Closing this case.

gantt title DIVD-2022-00026 - WSO2 Remote Code Executions - CVE-2022-29464 dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00026 - WSO2 Remote Code Executions - CVE-2022-29464 (210 days) :2022-04-24, 2022-11-20 section Events DIVD starts investigating the scope and impact of the vulnerability. : milestone, 2022-04-24, 0d First version of this case file. : milestone, 2022-04-24, 0d Notified about 450 vulnerable hosts. : milestone, 2022-05-15, 0d Notified 134 host that were still vulnerable. : milestone, 2022-07-01, 0d Sent a final reminder to the 53 hosts that are still vulnerable. : milestone, 2022-11-19, 0d Closing this case. : milestone, 2022-11-20, 0d

DIVD CSIRT