

Security Advisory WSO2-2016-0095

Published: August 31, 2016

---

OVERVIEW

A possible session fixation vulnerability exists in WSO2 products that use SAML SSO Carbon Authenticator.

DESCRIPTION

A malicious user could exploit the Session Fixation vulnerability by fixing a session ID, or gaining access to an unauthenticated initial session ID and later use the same to perform a session hijacking attack.

IMPACT

A malicious user could exploit the Session Fixation vulnerability by fixing a session ID, or gaining access to an unauthenticated initial session ID and later use the same to perform a session hijacking attack.

SOLUTION

After applying the below patches, SAML SSO Carbon Authenticator renews the session ID upon the user's successful login.

Apply the following patches based on your products by following the instructions in the README file.

Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to security@wso2.com.

Code	Product	Version	Patch
AS	WSO2 Application Server	5.3.0	WSO2-CARBON-PATCH-4.4.0-0246
BPS	WSO2 Business Process Server	3.5.1	WSO2-CARBON-PATCH-4.4.0-0249
BRS	WSO2 Business Rules Server	2.2.0	WSO2-CARBON-PATCH-4.4.0-0247
CEP	WSO2 Complex Event Processor	4.1.0	WSO2-CARBON-PATCH-4.4.0-0247
DS	WSO2 Dashboard Server	2.0.0	WSO2-CARBON-PATCH-4.4.0-0247
DAS	WSO2 Data Analytics Server	3.0.1	WSO2-CARBON-PATCH-4.4.0-0247
DSS	WSO2 Data Services Server	3.5.0	WSO2-CARBON-PATCH-4.4.0-0245
EMM	WSO2 Enterprise Mobility Manager	2.0.1	WSO2-CARBON-PATCH-4.4.0-0247
IS	WSO2 Identity Server	5.1.0	WSO2-CARBON-PATCH-4.4.0-0247
ML	WSO2 Machine Learner	1.1.0	WSO2-CARBON-PATCH-4.4.0-0245
MB	WSO2 Message Broker	3.1.0	WSO2-CARBON-PATCH-4.4.0-0245

Info

If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.