CVE-2024-2321
📋 TL;DR
This vulnerability allows attackers to bypass authorization in WSO2 products by using refresh tokens instead of access tokens to access protected APIs. Attackers who obtain an admin user's refresh token can perform unauthorized operations without session cookies. All organizations using affected WSO2 products are potentially impacted.
💻 Affected Systems
- WSO2 API Manager
- WSO2 Identity Server
- WSO2 Enterprise Integrator
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain prolonged admin-level access to API resources, enabling data theft, system compromise, and complete loss of confidentiality and integrity.
Likely Case
Unauthorized access to sensitive API endpoints leading to data exposure and potential privilege escalation.
If Mitigated
Limited impact with proper token management, monitoring, and network segmentation in place.
🎯 Exploit Status
Exploitation requires obtaining a valid refresh token first, which adds a step but refresh tokens often have longer lifetimes making them valuable targets.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific product versions
Vendor Advisory: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3213/
Restart Required: Yes
Instructions:
1. Review vendor advisory for affected versions. 2. Apply security patches provided by WSO2. 3. Restart affected services. 4. Test API authorization functionality.
🔧 Temporary Workarounds
Reduce Refresh Token Lifetime
allConfigure shorter refresh token expiration times to limit attack window
Configure in identity.xml or deployment.toml: <RefreshTokenValidityPeriod>3600</RefreshTokenValidityPeriod> (example: 1 hour)
Implement Token Binding
allBind refresh tokens to client IP or device to prevent token reuse from different locations
Configure token binding in WSO2 Identity Server settings
🧯 If You Can't Patch
- Implement strict network segmentation to isolate WSO2 instances from untrusted networks
- Enhance monitoring for unusual API access patterns and refresh token usage
🔍 How to Verify
Check if Vulnerable:
Test if protected APIs can be accessed using refresh tokens instead of access tokens. Attempt API calls with refresh token in Authorization header.Check Version:
Check WSO2 product version via management console or product documentationVerify Fix Applied:
After patching, verify that refresh tokens no longer grant API access and proper authorization checks are enforced.📡 Detection & Monitoring
Log Indicators:
- API access attempts with refresh tokens
- Unauthorized API calls from unexpected sources
- Multiple failed authorization attempts followed by successful refresh token usage
Network Indicators:
- Unusual API traffic patterns
- Requests to protected endpoints without proper session cookies
SIEM Query:
source="wso2-logs" AND (message="refresh_token" OR message="unauthorized") AND status="200"