Critical Vulnerability in Multiple WSO2 Products Exploited – CVE-2022-29464

CVE-2022-29464 Summary

Over the past week, threat actors have started scanning for and opportunistically exploiting CVE-2022-29464–a remote code execution vulnerability in multiple WSO2 products used to integrate application programming interfaces (API), applications, and web services. CVE-2022-29464 vulnerability has a CVSS score of 9.8 and severity of Critical which allowed unauthenticated and remote attackers to execute arbitrary code in the following products:

Due to improper user input validation, threat actors can upload arbitrary files to a user-controlled location on the server, which could lead to remote code execution. Threat actors are leveraging a slightly modified proof-of-concept (PoC) exploit to install web shells and coin miners on both Linux and Windows installations.

Recommendations

Recommendation #1: Apply Applicable Security Patch

All supported product versions received patches in February 2022. If you are a WSO2 customer with a Support Subscription, use WSO2 Updates to apply the relevant patch. If you are not leveraging a Support Subscription or are using an end-of-life product, apply the relevant security patch from the following GitHub repositories:

• https://github.com/wso2/carbon-kernel/pull/3152
• https://github.com/wso2/carbon-identity-framework/pull/3864
• https://github.com/wso2-extensions/identity-carbon-auth-rest/pull/167

Recommendation #2: Apply Applicable Temporary Workarounds

If applying the latest security patch is not feasible, apply the temporary mitigation steps provided by WSO2 here. The workarounds have been tested against general use cases. However, we recommend following change management best practices by testing changes in a dev environment before deploying to production.

References

• WSO2 Security Advisory: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738
• PoC Exploit: https://github.com/hakivvi/CVE-2022-29464