Security Advisory WSO2-2016-0095¶
Published: August 31, 2016
OVERVIEW¶
A possible session fixation vulnerability exists in WSO2 products that use SAML SSO Carbon Authenticator.
DESCRIPTION¶
A malicious user could exploit the Session Fixation vulnerability by fixing a session ID, or gaining access to an unauthenticated initial session ID and later use the same to perform a session hijacking attack.
IMPACT¶
A malicious user could exploit the Session Fixation vulnerability by fixing a session ID, or gaining access to an unauthenticated initial session ID and later use the same to perform a session hijacking attack.
SOLUTION¶
After applying the below patches, SAML SSO Carbon Authenticator renews the session ID upon the user's successful login.
Apply the following patches based on your products by following the instructions in the README file.
Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to security@wso2.com.
Code | Product | Version | Patch |
---|---|---|---|
AS | WSO2 Application Server | 5.3.0 | WSO2-CARBON-PATCH-4.4.0-0246 |
BPS | WSO2 Business Process Server | 3.5.1 | WSO2-CARBON-PATCH-4.4.0-0249 |
BRS | WSO2 Business Rules Server | 2.2.0 | WSO2-CARBON-PATCH-4.4.0-0247 |
CEP | WSO2 Complex Event Processor | 4.1.0 | WSO2-CARBON-PATCH-4.4.0-0247 |
DS | WSO2 Dashboard Server | 2.0.0 | WSO2-CARBON-PATCH-4.4.0-0247 |
DAS | WSO2 Data Analytics Server | 3.0.1 | WSO2-CARBON-PATCH-4.4.0-0247 |
DSS | WSO2 Data Services Server | 3.5.0 | WSO2-CARBON-PATCH-4.4.0-0245 |
EMM | WSO2 Enterprise Mobility Manager | 2.0.1 | WSO2-CARBON-PATCH-4.4.0-0247 |
IS | WSO2 Identity Server | 5.1.0 | WSO2-CARBON-PATCH-4.4.0-0247 |
ML | WSO2 Machine Learner | 1.1.0 | WSO2-CARBON-PATCH-4.4.0-0245 |
MB | WSO2 Message Broker | 3.1.0 | WSO2-CARBON-PATCH-4.4.0-0245 |
Info
If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.