Skip to the content.

DIVD-2022-00026 - WSO2 Remote Code Executions - CVE-2022-29464

Our reference DIVD-2022-00026
Case lead Victor Pasman
Author Pepijn van der Stap
Researcher(s)
CVE(s)
Product WSO2 API Manager 2.2.0 and above through 4.0.0; - WSO2 Identity Server 5.2.0 and above through 5.11.0; - WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; - WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; - WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.
Versions multiple, see products heading!
Recommendation If you received a notification of a vulnerability, patch your system with the information provided in this notification.
Patch status Available
Status Closed
Last modified 20 Nov 2022 15:02 CET

Summary

Due to improper validation of user input, a malicious actor could upload an arbitrary file to a user controlled location of the server. By leveraging the arbitrary file upload vulnerability, it is further possible to gain remote code execution on the server.

Products

| Product Name                        | Product Version | Update Level | WUM Timestamp |
|-------------------------------------|-----------------|:------------:|:-------------:|
| WSO2 API Manager                    |           2.2.0 |           43 | 1642181410159 |
| WSO2 API Manager                    |           2.5.0 |           44 | 1642690416146 |   
| WSO2 API Manager                    |           2.6.0 |           72 | 1642690636270 |   
| WSO2 API Manager                    |           3.0.0 |           70 | 1642180160123 |   
| WSO2 API Manager                    |           3.1.0 |          107 | 1643038989258 |   
| WSO2 API Manager                    |           3.2.0 |          122 | 1643038989258 |   
| WSO2 API Manager                    |           4.0.0 |           64 |           N/A |   
| WSO2 API Manager Analytics          |           2.2.0 |           25 | 1642181410159 |   
| WSO2 API Manager Analytics          |           2.5.0 |           23 | 1642690416146 |   
| WSO2 Identity Server                |           5.2.0 |           22 | 1642180025435 |   
| WSO2 Identity Server                |           5.4.1 |           22 | 1642180082946 |   
| WSO2 Identity Server                |           5.5.0 |           34 | 1642181410159 |   
| WSO2 Identity Server                |           5.6.0 |           27 | 1642690416146 |   
| WSO2 Identity Server                |           5.7.0 |           48 | 1642690636270 |   
| WSO2 Identity Server                |          5.10.0 |          112 | 1643038989258 |   
| WSO2 Identity Server                |           5.8.0 |           39 | 1642181241778 |   
| WSO2 Identity Server                |           5.9.0 |           55 | 1642601723766 |   
| WSO2 Identity Server                |          5.11.0 |          106 |           N/A |   
| WSO2 Identity Server as Key Manager |           5.5.0 |           34 | 1642181410159 |   
| WSO2 Identity Server as Key Manager |           5.6.0 |           23 | 1642690416146 |   
| WSO2 Identity Server as Key Manager |           5.7.0 |           55 | 1642690636270 |   
| WSO2 Identity Server as Key Manager |           5.9.0 |           64 | 1642601723766 |   
| WSO2 Identity Server as Key Manager |          5.10.0 |          115 | 1643038989258 |   
| WSO2 Identity Server Analytics      |           5.4.1 |           16 | 1642180082946 |   
| WSO2 Identity Server Analytics      |           5.5.0 |           25 | 1642181410159 |   
| WSO2 Identity Server Analytics      |           5.6.0 |           29 | 1642690416146 |
| WSO2 Enterprise Integrator          |           6.2.0 |           42 | 1642179902897 |   
| WSO2 Enterprise Integrator          |           6.3.0 |           37 | 1642599930405 |
| WSO2 Enterprise Integrator          |           6.4.0 |           58 | 1642601723766 |
| WSO2 Enterprise Integrator          |           6.5.0 |           55 | 1642599975104 |   
| WSO2 Enterprise Integrator          |           6.6.0 |           79 | 1642599885111 |   

Impact

By leveraging the vulnerability, a malicious actor may perform Remote Code Execution by uploading a specially crafted payload (.WAR file), or upload a jsp webshell.

What you can do

What we are doing

Timeline

Date Description
24 Apr 2022 DIVD starts investigating the scope and impact of the vulnerability.
24 Apr 2022 First version of this case file.
15 May 2022 Notified about 450 vulnerable hosts.
01 Jul 2022 Notified 134 host that were still vulnerable.
19 Nov 2022 Sent a final reminder to the 53 hosts that are still vulnerable.
20 Nov 2022 Closing this case.
gantt title DIVD-2022-00026 - WSO2 Remote Code Executions - CVE-2022-29464 dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00026 - WSO2 Remote Code Executions - CVE-2022-29464 (210 days) :2022-04-24, 2022-11-20 section Events DIVD starts investigating the scope and impact of the vulnerability. : milestone, 2022-04-24, 0d First version of this case file. : milestone, 2022-04-24, 0d Notified about 450 vulnerable hosts. : milestone, 2022-05-15, 0d Notified 134 host that were still vulnerable. : milestone, 2022-07-01, 0d Sent a final reminder to the 53 hosts that are still vulnerable. : milestone, 2022-11-19, 0d Closing this case. : milestone, 2022-11-20, 0d

More information