Security Advisory WSO2-2017-0177

Published: March 06, 2017


AFFECTED PRODUCTS

  • WSO2 Business Process Server 3.6.0
  • WSO2 Complex Event Processor 4.2.0
  • WSO2 Data Analytics Server 3.1.0
  • WSO2 Enterprise Service Bus 5.0.0
  • WSO2 Enterprise Service Bus Analytics 5.0.0

OVERVIEW

A vulnerability exists in the WSO2 Thrift data publisher client where the password used for authentication is exposed in the log in some situations.

DESCRIPTION

In several versions of the Thrift data publisher clients, a vulnerability has been discovered where the password used for authenticating against the Thrift server is printed in the client logs. This vulnerability affects all versions above 5.0.0 of the Thrift data publisher client jar (org.wso2.carbon.databridge.agent_x.y.z.jar).

The older Thrift data publisher client with the groupID org.wso2.carbon.databridge.agent.thrift is not affected by this. This issue has been fixed in version 5.1.5 (or higher) of the client.

IMPACT

The password used for authentication might be exposed to third parties, in the event of the logs generated by the Thrift client are shared without sanitization.

SOLUTION

For WSO2 Update Manager (WUM) Supported Products

Use WUM to update the following products.

Code Product Version
CEP WSO2 Complex Event Processor 4.2.0
ESB WSO2 Enterprise Service Bus 5.0.0
ESB Analytics WSO2 Enterprise Service Bus Analytics 5.0.0

For Other Products

Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to security@wso2.com.

Code Product Version Patch
BPS WSO2 Business Process Server 3.6.0 WSO2-CARBON-PATCH-4.4.0-0611
CEP WSO2 Complex Event Processor 4.2.0 WSO2-CARBON-PATCH-4.4.0-0612
DAS WSO2 Data Analytics Server 3.1.0 WSO2-CARBON-PATCH-4.4.0-0612
ESB WSO2 Enterprise Service Buss 5.0.0 WSO2-CARBON-PATCH-4.4.0-0611
ESB Analytics WSO2 Enterprise Service Bus Analytics 5.0.0 WSO2-CARBON-PATCH-4.4.0-0611

Info

If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.