CVE-2022-29464 Summary
Over the past week, threat actors have started scanning for and opportunistically exploiting CVE-2022-29464–a remote code execution vulnerability in multiple WSO2 products used to integrate application programming interfaces (API), applications, and web services. CVE-2022-29464 vulnerability has a CVSS score of 9.8 and severity of Critical which allowed unauthenticated and remote attackers to execute arbitrary code in the following products:
| Product | Versions |
| WSO2 API Manager | 2.2.0 and above |
| WSO2 Identity Server | 5.2.0 and above |
| WSO2 Identity Server Analytics | 5.4.0, 5.4.1, 5.5.0, 5.6.0 |
| WSO2 Identity Server as Key Manager | 5.3.0 and above |
| WSO2 Enterprise Integrator | 6.2.0 and above |
| WSO2 Open Banking AM | 1.4.0 and above |
| WSO2 Open Banking KM | 1.4.0 and above |
Due to improper user input validation, threat actors can upload arbitrary files to a user-controlled location on the server, which could lead to remote code execution. Threat actors are leveraging a slightly modified proof-of-concept (PoC) exploit to install web shells and coin miners on both Linux and Windows installations.
Recommendations
Recommendation #1: Apply Applicable Security Patch
All supported product versions received patches in February 2022. If you are a WSO2 customer with a Support Subscription, use to apply the relevant patch. If you are not leveraging a Support Subscription or are using an end-of-life product, apply the relevant security patch from the following GitHub repositories:
Recommendation #2: Apply Applicable Temporary Workarounds
If applying the latest security patch is not feasible, apply the . The workarounds have been tested against general use cases. However, we recommend following change management best practices by testing changes in a dev environment before deploying to production.
References
- WSO2 Security Advisory:
- PoC Exploit:
