Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

WSO2 Identity Server Plagued by Critical Vulnerabilities

Researchers at SEC Consult have identified some serious flaws in WSO2 Identity Server. The vendor has released patches to address the security bugs.

WSO2 Identity Server, developed by Mountain View, CA-based enterprise middleware company WSO2, is a security and identity management solution for enterprise web applications, services, and APIs.

Researchers at SEC Consult have identified some serious flaws in WSO2 Identity Server. The vendor has released patches to address the security bugs.

WSO2 Identity Server, developed by Mountain View, CA-based enterprise middleware company WSO2, is a security and identity management solution for enterprise web applications, services, and APIs.

SEC Consult experts analyzed WSO2 Identity Server and determined that the product is affected by cross-site scripting (XSS), cross-site request forgery (CSRF), and XML external entity injection (XXE) vulnerabilities.

According to an advisory published by the Austria-based application security services firm on Wednesday, the reflected XSS bug can be exploited by a remote attacker to hijack users’ sessions. For the attack to work, the attacker must convince a user that is logged in to the WSO2 Identity Server admin interface to click on specially crafted link.

The CSRF bug can be exploited by an attacker to add new users to Identity Server. Exploiting this vulnerability, caused by the lack of CSRF protection, also requires user interaction.

The third vulnerability identified and reported by SEC Consult is an XXE flaw that can be exploited to inject external XML entities through the SAML authentication interface. A malicious actor can leverage the bug to read local files, and possibly even bypass firewall rules and conduct further attacks on internal servers.

“WSO2 Identity Server 5.0.0 is vulnerable to XML External Entity (XEE) attack in the federated SAML2 SSO authentication flow which can be carried out by modifying the SAMLRequest or SAMLResponse parameters,” WSO2 wrote in its own advisory. “This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.”

SEC Consult has published proof-of-concept code for each of the security holes.

The vulnerabilities, rated “critical” by WSO2, were reported in mid-March and addressed on Wednesday with the following patches: WSO2-CARBON-PATCH-4.2.0-1256 and WSO2-CARBON-PATCH-4.2.0-1194. WSO2 advises customers to install IS 5.0.0 Service Pack 1 before applying the patches.

WSO2’s advisory states that the vulnerabilities affect Identity Server 5.0.0, but SEC Consult believes that these or similar security bugs might affect other WSO2 products that are based on the WSO2 Carbon framework.

“SEC Consult only conducted a very quick and narrow check on the WSO2 Identity Server. Since in this check a critical vulnerability was found, SEC Consult suspects that the Identity Server contains even more critical vulnerabilities,” SEC Consult said in its advisory. “SEC Consult recommends to not use any products based on the WSO2 Carbon Framework until a thorough security review has been conducted.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.