Security Advisory WSO2-2016-0092¶
Published: August 12, 2016
OVERVIEW¶
Upgrade the embedded Apache Tomcat version to 7.0.69 to support Tomcat-level security fixes and Security Headers in HTTP Responses.
DESCRIPTION¶
With the Apache Tomcat upgrade, the following Common Vulnerability Exposures are fixed.
- CVE-2015-5174 : Limited directory traversal
- CVE-2015-5345 : Directory disclosure
- CVE-2015-5346 : Session Fixation
- CVE-2015-5351 : CSRF token leak
- CVE-2016-0706 : Security Manager bypass
- CVE-2016-0714 : Security Manager bypass
- CVE-2016-0763 : Security Manager bypass
Supportability for following security headers in HTTP responses is also added with the upgrade.
- Strict-Transport-Security
- X-Frame-Options
- X-Content-Type-Options
- X-XSS-Protection
IMPACT¶
The WSO2 servers are exposed to known vulnerabilities of Apache Tomcat versions prior to 7.0.69.
SOLUTION¶
Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases.
For some of the products, there may be two patches (kernel patch and platform patch) that need to be applied. In such situations refrain from restarting the server for each patch, rather apply both patches and then restart the server.
If you have any questions, post them to security@wso2.com.
| Code | Product | Version | Patch |
|---|---|---|---|
| AS | WSO2 Application Server | 5.3.0 | WSO2-CARBON-PATCH-4.4.0-0237 WSO2-CARBON-PATCH-4.4.0-0257 |
| BPS | WSO2 Business Process Server | 3.5.1 | WSO2-CARBON-PATCH-4.4.0-0234 WSO2-CARBON-PATCH-4.4.0-0239 |
| BRS | WSO2 Business Rules Server | 2.2.0 | WSO2-CARBON-PATCH-4.4.0-0235 WSO2-CARBON-PATCH-4.4.0-0240 |
| CEP | WSO2 Complex Event Processor | 4.1.0 | WSO2-CARBON-PATCH-4.4.0-0235 WSO2-CARBON-PATCH-4.4.0-0241 |
| DAS | WSO2 Data Analytics Server | 3.0.1 | WSO2-CARBON-PATCH-4.4.0-0235 WSO2-CARBON-PATCH-4.4.0-0240 |
| DS | WSO2 Dashboard Server | 2.0.0 | WSO2-CARBON-PATCH-4.4.0-0235 WSO2-CARBON-PATCH-4.4.0-0243 |
| DSS | WSO2 Data Services Server | 3.5.0 | WSO2-CARBON-PATCH-4.4.0-0236 WSO2-CARBON-PATCH-4.4.0-0241 |
| EMM | WSO2 Enterprise Mobility Manager | 2.0.1 | WSO2-CARBON-PATCH-4.4.0-0235 WSO2-CARBON-PATCH-4.4.0-0240 |
| ES | WSO2 Enterprise Store | 2.0.0 | WSO2-CARBON-PATCH-4.4.0-0237 WSO2-CARBON-PATCH-4.4.0-0243 |
| ESB | WSO2 Enterprise Service Bus | 4.9.0 | WSO2-CARBON-PATCH-4.4.0-0237 |
| GREG | WSO2 Governance Registry | 5.2.0 | WSO2-CARBON-PATCH-4.4.0-0233 WSO2-CARBON-PATCH-4.4.0-0239 |
| IS | WSO2 Identity Server | 5.1.0 | WSO2-CARBON-PATCH-4.4.0-0235 WSO2-CARBON-PATCH-4.4.0-0241 |
| MB | WSO2 Message Broker | 3.1.0 | WSO2-CARBON-PATCH-4.4.0-0235 |
| ML | WSO2 Machine Learner | 1.1.0 | WSO2-CARBON-PATCH-4.4.0-0235 WSO2-CARBON-PATCH-4.4.0-0243 |
Info
If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.