Security Advisory WSO2-2017-0177¶
Published: March 06, 2017
AFFECTED PRODUCTS¶
- WSO2 Business Process Server 3.6.0
- WSO2 Complex Event Processor 4.2.0
- WSO2 Data Analytics Server 3.1.0
- WSO2 Enterprise Service Bus 5.0.0
- WSO2 Enterprise Service Bus Analytics 5.0.0
OVERVIEW¶
A vulnerability exists in the WSO2 Thrift data publisher client where the password used for authentication is exposed in the log in some situations.
DESCRIPTION¶
In several versions of the Thrift data publisher clients, a vulnerability has been discovered where the password used for authenticating against the Thrift server is printed in the client logs. This vulnerability affects all versions above 5.0.0 of the Thrift data publisher client jar (org.wso2.carbon.databridge.agent_x.y.z.jar).
The older Thrift data publisher client with the groupID org.wso2.carbon.databridge.agent.thrift is not affected by this. This issue has been fixed in version 5.1.5 (or higher) of the client.
IMPACT¶
The password used for authentication might be exposed to third parties, in the event of the logs generated by the Thrift client are shared without sanitization.
SOLUTION¶
For WSO2 Update Manager (WUM) Supported Products¶
Use WUM to update the following products.
Code | Product | Version |
---|---|---|
CEP | WSO2 Complex Event Processor | 4.2.0 |
ESB | WSO2 Enterprise Service Bus | 5.0.0 |
ESB Analytics | WSO2 Enterprise Service Bus Analytics | 5.0.0 |
For Other Products¶
Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to security@wso2.com.
Code | Product | Version | Patch |
---|---|---|---|
BPS | WSO2 Business Process Server | 3.6.0 | WSO2-CARBON-PATCH-4.4.0-0611 |
CEP | WSO2 Complex Event Processor | 4.2.0 | WSO2-CARBON-PATCH-4.4.0-0612 |
DAS | WSO2 Data Analytics Server | 3.1.0 | WSO2-CARBON-PATCH-4.4.0-0612 |
ESB | WSO2 Enterprise Service Buss | 5.0.0 | WSO2-CARBON-PATCH-4.4.0-0611 |
ESB Analytics | WSO2 Enterprise Service Bus Analytics | 5.0.0 | WSO2-CARBON-PATCH-4.4.0-0611 |
Info
If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.