Security Advisory WSO2-2016-0101

Published: August 12, 2016


OVERVIEW

WSO2 products are vulnerable to possible server shut down through a Cross-Site Request Forgery (CSRF) attack.

DESCRIPTION

The attack involves tricking a privileged user to initiate a request to shut down WSO2 Servers.

IMPACT

The WSO2 servers are exposed to known vulnerabilities of Apache Tomcat versions prior to 7.0.69.

SOLUTION

The CSRF Valve improved to differentiate between the malicious requests from the legitimate requests by validating the referer header of the incoming request.

Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to security@wso2.com.

Code Product Version Patch
AS WSO2 Application Server 5.3.0 WSO2-CARBON-PATCH-4.4.0-0218
BPS WSO2 Business Process Server 3.5.1 WSO2-CARBON-PATCH-4.4.0-0215
BRS WSO2 Business Rules Server 2.2.0 WSO2-CARBON-PATCH-4.4.0-0214
CEP WSO2 Complex Event Processor 4.1.0 WSO2-CARBON-PATCH-4.4.0-0214
DAS WSO2 Data Analytics Server 3.0.1 WSO2-CARBON-PATCH-4.4.0-0214
DS WSO2 Dashboard Server 2.0.0 WSO2-CARBON-PATCH-4.4.0-0214
DSS WSO2 Data Services Server 3.5.0 WSO2-CARBON-PATCH-4.4.0-0213
EMM WSO2 Enterprise Mobility Manager 2.0.1 WSO2-CARBON-PATCH-4.4.0-0214
ES WSO2 Enterprise Store 2.0.0 WSO2-CARBON-PATCH-4.4.0-0218
ESB WSO2 Enterprise Service Bus 4.9.0 WSO2-CARBON-PATCH-4.4.0-0218
IS WSO2 Identity Server 5.1.0 WSO2-CARBON-PATCH-4.4.0-0214
MB WSO2 Message Broker 3.1.0 WSO2-CARBON-PATCH-4.4.0-0214
ML WSO2 Machine Learner 1.1.0 WSO2-CARBON-PATCH-4.4.0-0214

Info

If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.

CREDITS

WSO2 thanks, John Page (hyp3rlinx) for responsibly reporting the identified issues and working with us as we addressed them.