Published: 17th August 2020
CVSS Score: 8.1 (CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N)
WSO2 API Manager : 3.2.0 or earlier
WSO2 API Microgateway : 2.2.0
WSO2 IS as Key Manager : 5.10.0 or earlier
WSO2 Identity Server : 5.10.0 or earlier
A potential sensitive information disclosure vulnerability has been identified in the "RemoteUserRealmService" SOAP service.
The "RemoteUserRealmService" SOAP service allows fetching realm configs for users with "Super Admin" permissions. Service response includes credentials of the Super Admin user and primary user store connection that are specified in the user-mgt.xml.
The Super Admin specified in the 'user-mgt.xml' is the highest privileged user in a WSO2 product. Only that user is able to assign/unassign the "admin" role to other users and delete a user who is having the "admin" role. By exploiting this vulnerability, another admin user (having the "Super Admin" permissions that are defined in the Management Console's Permission tree, but having less privileges than the Super Admin of usermgt.xml) can obtain credentials of that superior user if the Super Admin password in the user-mgt.xml is used without changing via the Management Console as recommended by WSO2's security guidelines for production deployments. The primary user store is a highly confidential asset of an organization. Ideally, access to it should be restricted via the network rules. If the attacker can reach the primary user store, there could be a confidentiality and integrity impact since he can authenticate using the credentials returned by the SOAP service.
If you are using an affected product version, it is highly recommended to migrate to the latest released version to receive security fixes.
You may also apply the relevant fixes based on the changes from the public fix: https://github.com/wso2-extensions/identity-user-ws/pull/44
If you are a WSO2 customer with Support Subscription, please use WSO2 Update Manager (WUM) updates in order to apply the fix.
2020-09-24: API Manager 3.2.0 added to the affected product list.