Critical Vulnerabilities Found in WSO2 Products

WSO2 announced the discovery of critical vulnerabilities in its “API Manager” and “Identity Server” products. These vulnerabilities allow bypassing authentication mechanisms or resetting user passwords. This situation can particularly put high-level accounts, such as administrators, at risk. The risk could lead to unauthorized access to the system, allowing attackers to gain control over the system. WSO2 recommends users to apply security updates and recommended security measures to ensure system safety.

Authentication Vulnerability in REST API Endpoints

The authentication vulnerability found in the REST API endpoints exists in WSO2 API Manager version 4.2.0 and is classified as a very high-risk issue (CVSS score 9.4). By exploiting this vulnerability, attackers can bypass authentication checks by manipulating REST API routes. This allows them to log in to the system on behalf of other users, such as admins, and gain their privileges. As a result, it could lead to unauthorized access to the system and control over critical resources.

Vulnerability in SOAP Admin Services

The second vulnerability was found in several versions of WSO2 API Manager, Identity Server, and Open Banking products, which is rated as very high risk (CVSS score 9.8) when exposed publicly, or high risk (CVSS score 8.8) within a trusted network. This vulnerability is present through the “/services” context path, where there are weaknesses in the authentication of admin services. By exploiting this vulnerability, attackers could reset user passwords and gain control over high-privilege accounts, such as administrators. If the services are exposed, this would allow attackers to remotely gain full control over critical accounts, including administrator accounts.

UZCERT recommends users of WSO2 products to install the latest security updates as soon as possible.