Over the past week, threat actors have started scanning for and opportunistically exploiting CVE-2022-29464–a remote code execution vulnerability in multiple WSO2 products used to integrate application programming interfaces (API), applications, and web services. CVE-2022-29464 vulnerability has a CVSS score of 9.8 and severity of Critical which allowed unauthenticated and remote attackers to execute arbitrary code in the following products:
|WSO2 API Manager||2.2.0 and above|
|WSO2 Identity Server||5.2.0 and above|
|WSO2 Identity Server Analytics||5.4.0, 5.4.1, 5.5.0, 5.6.0|
|WSO2 Identity Server as Key Manager||5.3.0 and above|
|WSO2 Enterprise Integrator||6.2.0 and above|
|WSO2 Open Banking AM||1.4.0 and above|
|WSO2 Open Banking KM||1.4.0 and above|
Due to improper user input validation, threat actors can upload arbitrary files to a user-controlled location on the server, which could lead to remote code execution. Threat actors are leveraging a slightly modified proof-of-concept (PoC) exploit to install web shells and coin miners on both Linux and Windows installations.
Recommendation #1: Apply Applicable Security Patch
All supported product versions received patches in February 2022. If you are a WSO2 customer with a Support Subscription, use WSO2 Updates to apply the relevant patch. If you are not leveraging a Support Subscription or are using an end-of-life product, apply the relevant security patch from the following GitHub repositories:
Recommendation #2: Apply Applicable Temporary Workarounds
If applying the latest security patch is not feasible, apply the temporary mitigation steps provided by WSO2 here. The workarounds have been tested against general use cases. However, we recommend following change management best practices by testing changes in a dev environment before deploying to production.
- WSO2 Security Advisory: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1738
- PoC Exploit: https://github.com/hakivvi/CVE-2022-29464