Security Advisory WSO2-2016-0170¶
Published: November 08, 2016
AFFECTED PRODUCTS¶
- WSO2 Application Server 5.3.0
- WSO2 Business Rules Server 2.2.0
- WSO2 Dashboard Server 2.0.0
- WSO2 Enterprise Mobility Manager 2.0.1
- WSO2 Message Broker 3.1.0
OVERVIEW¶
Apache Axis2 1.6.2 and earlier versions do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or Subject Alternative Name (subjectAltName) field of the X.509 certificate.
DESCRIPTION¶
Apache Axis2 1.6.2 uses commons-httpclient-3.1.0 and hostname verification should be enabled in the commons-httpclient.
IMPACT¶
This allows Eavesdropper attackers to spoof SSL servers via an arbitrary valid certificate.
SOLUTION¶
Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to security@wso2.com.
| Code | Product | Version | Patch |
|---|---|---|---|
| AS | WSO2 Application Server | 5.3.0 | WSO2-CARBON-PATCH-4.4.0-0514 |
| BRS | WSO2 Business Rules Server | 2.2.0 | WSO2-CARBON-PATCH-4.4.0-0514 |
| DS | WSO2 Dashboard Server | 2.0.0 | WSO2-CARBON-PATCH-4.4.0-0514 |
| EMM | WSO2 Enterprise Mobility Manager | 2.0.1 | WSO2-CARBON-PATCH-4.4.0-0514 |
| MB | WSO2 Message Broker | 3.1.0 | WSO2-CARBON-PATCH-4.4.0-0514 |
Info
If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.