Security Advisory WSO2-2016-0101¶
Published: August 12, 2016
WSO2 products are vulnerable to possible server shut down through a Cross-Site Request Forgery (CSRF) attack.
The attack involves tricking a privileged user to initiate a request to shut down WSO2 Servers.
The WSO2 servers are exposed to known vulnerabilities of Apache Tomcat versions prior to 7.0.69.
The CSRF Valve improved to differentiate between the malicious requests from the legitimate requests by validating the referer header of the incoming request.
Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to email@example.com.
|AS||WSO2 Application Server||5.3.0||WSO2-CARBON-PATCH-4.4.0-0218|
|BPS||WSO2 Business Process Server||3.5.1||WSO2-CARBON-PATCH-4.4.0-0215|
|BRS||WSO2 Business Rules Server||2.2.0||WSO2-CARBON-PATCH-4.4.0-0214|
|CEP||WSO2 Complex Event Processor||4.1.0||WSO2-CARBON-PATCH-4.4.0-0214|
|DAS||WSO2 Data Analytics Server||3.0.1||WSO2-CARBON-PATCH-4.4.0-0214|
|DS||WSO2 Dashboard Server||2.0.0||WSO2-CARBON-PATCH-4.4.0-0214|
|DSS||WSO2 Data Services Server||3.5.0||WSO2-CARBON-PATCH-4.4.0-0213|
|EMM||WSO2 Enterprise Mobility Manager||2.0.1||WSO2-CARBON-PATCH-4.4.0-0214|
|ES||WSO2 Enterprise Store||2.0.0||WSO2-CARBON-PATCH-4.4.0-0218|
|ESB||WSO2 Enterprise Service Bus||4.9.0||WSO2-CARBON-PATCH-4.4.0-0218|
|IS||WSO2 Identity Server||5.1.0||WSO2-CARBON-PATCH-4.4.0-0214|
|MB||WSO2 Message Broker||3.1.0||WSO2-CARBON-PATCH-4.4.0-0214|
|ML||WSO2 Machine Learner||1.1.0||WSO2-CARBON-PATCH-4.4.0-0214|
If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.
WSO2 thanks, John Page (hyp3rlinx) for responsibly reporting the identified issues and working with us as we addressed them.