CVE-2022-29464: 
WSO2 API Manager vulnerability analysis and mitigation

CVE-2022-29464 is a critical vulnerability (CVSS score 9.8) discovered in multiple WSO2 products that allows unrestricted file upload resulting in remote code execution. The vulnerability was disclosed on April 18, 2022, by Orange Tsai and affects various WSO2 products including API Manager 2.2.0 up to 4.0.0, Identity Server 5.2.0 up to 5.11.0, Identity Server Analytics 5.4.0 to 5.6.0, Identity Server as Key Manager 5.3.0 up to 5.11.0, Enterprise Integrator 6.2.0 up to 6.6.0, and Open Banking products (WSO2 Advisory).

The vulnerability exists due to improper validation of user input in the /fileupload endpoint. An attacker can exploit this by using a Content-Disposition directory traversal sequence to reach directories under the web root, such as ../../../../repository/deployment/server/webapps. The vulnerability requires no user interaction or administrative privileges for exploitation (NVD, GitHub POC).

By leveraging this vulnerability, attackers can perform remote code execution by uploading specially crafted payloads. The exploit has been observed being used to install web shells, coin miners, and both Linux and Windows-compatible Cobalt Strike beacons. This is particularly concerning as WSO2 products are commonly used in critical sectors including healthcare, banking, energy, education, government, and communications (Trend Micro).

WSO2 released patches for all supported product versions in February 2022. For customers with support subscriptions, fixes can be applied through WSO2 Updates. For open-source users or those using EOL versions, fixes are available through public GitHub repositories. Temporary mitigation steps include adding specific configuration lines to deployment.toml or removing certain mappings in carbon.xml, depending on the product version (WSO2 Advisory).