Critical Vulnerability in Multiple WSO2 Products Exploited – CVE-2022-29464

Share :

CVE-2022-29464 Summary

Over the past week, threat actors have started scanning for and opportunistically exploiting CVE-2022-29464–a remote code execution vulnerability in multiple WSO2 products used to integrate application programming interfaces (API), applications, and web services. CVE-2022-29464 vulnerability has a CVSS score of 9.8 and severity of Critical which allowed unauthenticated and remote attackers to execute arbitrary code in the following products:

Product

Versions

 WSO2 API Manager  2.2.0 and above
 WSO2 Identity Server  5.2.0 and above
 WSO2 Identity Server Analytics  5.4.0, 5.4.1, 5.5.0, 5.6.0
 WSO2 Identity Server as Key Manager  5.3.0 and above
 WSO2 Enterprise Integrator  6.2.0 and above
 WSO2 Open Banking AM  1.4.0 and above
 WSO2 Open Banking KM  1.4.0 and above

 

Due to improper user input validation, threat actors can upload arbitrary files to a user-controlled location on the server, which could lead to remote code execution. Threat actors are leveraging a slightly modified proof-of-concept (PoC) exploit to install web shells and coin miners on both Linux and Windows installations.

Recommendations

Recommendation #1: Apply Applicable Security Patch

All supported product versions received patches in February 2022. If you are a WSO2 customer with a Support Subscription, use WSO2 Updates to apply the relevant patch. If you are not leveraging a Support Subscription or are using an end-of-life product, apply the relevant security patch from the following GitHub repositories:

Recommendation #2: Apply Applicable Temporary Workarounds

If applying the latest security patch is not feasible, apply the temporary mitigation steps provided by WSO2. The workarounds have been tested against general use cases. However, we recommend following change management best practices by testing changes in a dev environment before deploying to production.

References

Steven Campbell

Steven Campbell

Steven Campbell is a Senior Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft.
Share :
Table of Contents
Categories