WSO2 API Manager
"ZDI-CAN-13449"  discusses Java management Extensions(JMX) and Remote Method Invocation (RMI) Services available with WSO2 products. Java Management Extensions (JMX) is a technology that lets you implement management interfaces for Java applications . The services in question have authentication and authorization enforcements to prevent any unauthorized access. As also documented in , JMX services can only be accessed after properly authenticating with the services using the credentials of a user having "Server Admin" permission.
Even though ZDI-CAN-13449 states "Authentication is not required to exploit this vulnerability", this statement is made only based on the fact that the administrator credential (admin/admin) shipped with the product can be used to connect to the JMX port.
Even though WSO2 products are shipped with a default administrator user credential, we highly recommend changing the default administrator credential. This is further detailed in the Security Guidelines for Production Deployments .
Once the default administrator credentials are changed, JMX service authentication will also adopt the newly changed credentials. The service can be accessed only after providing a valid user credential having Server Admin permission. Therefore, considering the above facts, the reported security issue ZDI-CAN-13449  has no impact when the default admin credentials have been changed as per the Security Guidelines for Production Deployments . In case you have a deployment with default credentials, we strongly suggest that you change them by following the Security Guidelines for Production Deployments .
If JMX services are not required, you can disable JMX completely by following the WSO2 documentation . In addition, as an additional security measure, you can also prevent untrusted networks from accessing the rmi_registry_port (defaults to: 9999) and rmi_server_port (defaults to: 11111).