Published: 17th August 2020
CVSS Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
WSO2 API Manager : 3.1.0 or earlier
WSO2 API Manager Analytics : 2.5.0, 2.2.0
WSO2 API Microgateway : 2.2.0
WSO2 Data Analytics Server : 3.2.0
WSO2 Enterprise Integrator : 6.6.0 or ealier
WSO2 IS as Key Manager : 5.10.0 or ealier
WSO2 Identity Server : 5.10.0 or earlier
WSO2 Identity Server Analytics : 5.6.0 or earlier
WSO2 IoT Server : 3.3.1, 3.3.0
Improper access control in web service "Try It" functionality.
Web service "Try It" functionality in some product versions allows unauthenticated access via HTTP Servlet (default port: 9443) and/or PassThrough (default port: 8243) transports.
Some products contain UIs inside Carbon Management Console for the "Try It" functionality (e.g. WSO2 Enterprise Integrator), and in other products (e.g. WSO2 Identity Server) it could be achieved by directly calling a specific JSP file that is packed with the Carbon Kernel.
If the "Try It" functionality related URLs are accessible to unauthorized parties, by using this vulnerability it is possible to send requests to SOAP services running in other network nodes that are usually denied to those parties, and view the response if those services allow unauthenticated access. In addition to that, it would be possible to do a port scan to identify the open ports in the deployment.
The risk from this vulnerability would be reduced if the network access to Carbon Management Console nodes are blocked to the unwarranted parties as per WSO2's security recommendations for the production deployments.
If you are using an affected product version, it is highly recommended to migrate to the latest released version to receive security fixes.
You may also apply the relevant fixes based on the changes from the public fix: https://github.com/wso2/carbon-kernel/pull/2690, https://github.com/wso2/carbon-commons/pull/417, https://github.com/wso2/carbon-commons/pull/418
As recommended in WSO2 Production Security Guideline, add following property in carbon.properties file which is located at <PRODUCT_HOME>/conf to disable try-it option in management console.
If you are a WSO2 customer with Support Subscription, please use WSO2 Update Manager (WUM) updates in order to apply the fix.
2020-09-24: API Manager 3.2.0 added to the affected product list.