WSO2 Products SOAP Admin Service Unauthenticated User Registration Vulnerability (CVE-2024-7097)

Key Information Vulnerability ID WSO2-2024-3574/CVE-2024-7097 Affected Product Versions WSO2 API Manager: 4.3.0, 4.2.0, 4.1.0, 4.0.0, 3.2.1, 3.2.0, 3.1.0, 3.0.0, 2.6.0, 2.5.0, 2.2.0, 2.1.0, 2.0.0 WSO2 Identity Server: 7.0.0, 6.1.0, 6.0.0, 5.11.0, 5.10.0, 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, 5.4.1, 5.4.0, 5.3.0, 5.2.0 WSO2 Identity Server as Key Manager: 5.10.0, 5.9.0, 5.8.0, 5.6.0, 5.5.0, 5.3.0 WSO2 Open Banking AM: 2.0.0, 1.3.0, 1.4.0, 1.3.0 WSO2 Open Banking KM: 2.0.0 WSO2 Open Banking KM: 1.5.0, 1.4.0, 1.3.0 Vulnerability Description Overview: The WSO2 admin service allows user registration regardless of self-registration configuration. Detailed Description: A security vulnerability exists in the SOAP admin service within WSO2 products, enabling the creation of new user accounts without considering the self-registration configuration settings. Impact Malicious actors can exploit this vulnerability to create multiple low-privilege users and maintain persistent access to the system. This could be leveraged to exhaust system resources by continuously creating such users. Solution Community Users (Open Source): It is strongly recommended to migrate to the latest versions of respective WSO2 products to mitigate known vulnerabilities. Commercial Users: Update your products to the specified patch level or higher module level to apply the fix. All Users: If applying the fix or upgrading is not feasible, migrate to the latest unaffected version of the respective WSO2 product. Configuration Changes For XML-based configuration models, add the following configuration in the file: For APIM 2.x versions, if self-registration is not a business requirement, no additional changes are necessary. If self-registration needs to be disabled, also disable the "Self-Registration" feature in the APIM management console.

Goal Reached Thanks to every supporter — we hit 100%!

WSO2 Products SOAP Admin Service Unauthenticated User Registration Vulnerability (CVE-2024-7097)