Security Advisory WSO2-2016-0092

Published: August 12, 2016


OVERVIEW

Upgrade the embedded Apache Tomcat version to 7.0.69 to support Tomcat-level security fixes and Security Headers in HTTP Responses.

DESCRIPTION

With the Apache Tomcat upgrade, the following Common Vulnerability Exposures are fixed.

  • CVE-2015-5174 : Limited directory traversal
  • CVE-2015-5345 : Directory disclosure
  • CVE-2015-5346 : Session Fixation
  • CVE-2015-5351 : CSRF token leak
  • CVE-2016-0706 : Security Manager bypass
  • CVE-2016-0714 : Security Manager bypass
  • CVE-2016-0763 : Security Manager bypass

Supportability for following security headers in HTTP responses is also added with the upgrade.

  • Strict-Transport-Security
  • X-Frame-Options
  • X-Content-Type-Options
  • X-XSS-Protection

IMPACT

The WSO2 servers are exposed to known vulnerabilities of Apache Tomcat versions prior to 7.0.69.

SOLUTION

Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases.

For some of the products, there may be two patches (kernel patch and platform patch) that need to be applied. In such situations refrain from restarting the server for each patch, rather apply both patches and then restart the server.

If you have any questions, post them to security@wso2.com.

Code Product Version Patch
AS WSO2 Application Server 5.3.0 WSO2-CARBON-PATCH-4.4.0-0237
WSO2-CARBON-PATCH-4.4.0-0257
BPS WSO2 Business Process Server 3.5.1 WSO2-CARBON-PATCH-4.4.0-0234
WSO2-CARBON-PATCH-4.4.0-0239
BRS WSO2 Business Rules Server 2.2.0 WSO2-CARBON-PATCH-4.4.0-0235
WSO2-CARBON-PATCH-4.4.0-0240
CEP WSO2 Complex Event Processor 4.1.0 WSO2-CARBON-PATCH-4.4.0-0235
WSO2-CARBON-PATCH-4.4.0-0241
DAS WSO2 Data Analytics Server 3.0.1 WSO2-CARBON-PATCH-4.4.0-0235
WSO2-CARBON-PATCH-4.4.0-0240
DS WSO2 Dashboard Server 2.0.0 WSO2-CARBON-PATCH-4.4.0-0235
WSO2-CARBON-PATCH-4.4.0-0243
DSS WSO2 Data Services Server 3.5.0 WSO2-CARBON-PATCH-4.4.0-0236
WSO2-CARBON-PATCH-4.4.0-0241
EMM WSO2 Enterprise Mobility Manager 2.0.1 WSO2-CARBON-PATCH-4.4.0-0235
WSO2-CARBON-PATCH-4.4.0-0240
ES WSO2 Enterprise Store 2.0.0 WSO2-CARBON-PATCH-4.4.0-0237
WSO2-CARBON-PATCH-4.4.0-0243
ESB WSO2 Enterprise Service Bus 4.9.0 WSO2-CARBON-PATCH-4.4.0-0237
GREG WSO2 Governance Registry 5.2.0 WSO2-CARBON-PATCH-4.4.0-0233
WSO2-CARBON-PATCH-4.4.0-0239
IS WSO2 Identity Server 5.1.0 WSO2-CARBON-PATCH-4.4.0-0235
WSO2-CARBON-PATCH-4.4.0-0241
MB WSO2 Message Broker 3.1.0 WSO2-CARBON-PATCH-4.4.0-0235
ML WSO2 Machine Learner 1.1.0 WSO2-CARBON-PATCH-4.4.0-0235
WSO2-CARBON-PATCH-4.4.0-0243

Info

If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.