We observed vulnerability CVE-2022-29464
being exploited in the wild since April, allowing unrestricted file uploads resulting to arbitrary remote code execution (RCE) found from here
This affects WSO2 API Manager 2.2.0 and above, Identity Server 5.2.0 and above, Identity Server Analytics 5.4.0 to 5.6.0, Identity Server as Key Manager 5.3.0 and above, Open Banking AM 1.4.0 and above, and Enterprise Integrator 6.2.0 and above.
We're using WSO2 EI Product V6.4.0/6.5.0.
I have seen Security Advisory WSO2-2021-1738 guideline too.
We don't have Support Subscription, So I'm planning to remove <FileUploadConfig>
mappings in the <product_home>/conf/carbon.xml
as suggested in same WSO2 Security Advisory page.
Is this mitigations step enough or do we need to concentrate further more on this?
CodePudding user response:
As per the advisory, it seems disabling the file upload services is not a complete fix. If you look at the fix that has been implemented it has code-level changes as well.[1]