Security Advisory WSO2-2017-0177¶
Published: March 06, 2017
AFFECTED PRODUCTS¶
- WSO2 App Manager 1.2.0
- WSO2 Application Server 5.3.0
- WSO2 Business Process Server 3.6.0
- WSO2 Business Rules Server 2.2.0
- WSO2 Complex Event Processor 4.2.0
- WSO2 Dashboard Server 2.0.0
- WSO2 Data Analytics Server 3.1.0
- WSO2 Data Services Server 3.5.1
- WSO2 Enterprise Service Bus 5.0.0
- WSO2 Enterprise Store 2.1.0
- WSO2 Governance Registry 5.3.0
- WSO2 Machine Learner 1.2.0
- WSO2 Message Broker 3.1.0
OVERVIEW¶
The above-listed products have been identified to have several potential Cross-Site Scripting(XSS) vulnerabilities.
DESCRIPTION¶
In several versions of the following components, XSS vulnerabilities have been discovered where a malicious user could inject an executable script as input via the product's management console.
- WSO2 Carbon Governance
- WSO2 Carbon Registry
- WSO2 Tenant management
- WSO2 Carbon Webapp Management
IMPACT¶
As a consequence of the Stored XSS attack, the malicious data will be appeared to be part of the carbon management console of affected components, and get executed within the user's browser whenever the web page is accessed. This leads to several malicious activities such as capturing sensitive information in the web pages, hijacking user data and etc.
SOLUTION¶
The recommended solution is to apply relevant security patches to products which fix the XSS vulnerability in affected components.
For WSO2 Update Manager (WUM) Supported Products¶
Use WUM to update the following products.
| Code | Product | Version | Patch |
|---|---|---|---|
| CEP | WSO2 Complex Event Processor | 4.2.0 | |
| DSS | WSO2 Data Services Server | 3.5.1 | |
| ESB | WSO2 Enterprise Service Bus | 5.0.0 |
For Other Products¶
Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to security@wso2.com.
| Code | Product | Version | Patch |
|---|---|---|---|
| APPM | WSO2 App Manager | 1.2.0 | WSO2-CARBON-PATCH-4.4.0-0665 WSO2-CARBON-PATCH-4.4.0-0666 WSO2-CARBON-PATCH-4.4.0-0676 |
| AS | WSO2 Application Server | 5.3.0 | WSO2-CARBON-PATCH-4.4.0-0642 WSO2-CARBON-PATCH-4.4.0-0668 WSO2-CARBON-PATCH-4.4.0-0673 WSO2-CARBON-PATCH-4.4.0-0871 |
| BPS | WSO2 Business Process Server | 3.6.0 | WSO2-CARBON-PATCH-4.4.0-0661 WSO2-CARBON-PATCH-4.4.0-0665 |
| BRS | WSO2 Business Rules Server | 2.2.0 | WSO2-CARBON-PATCH-4.4.0-0642 WSO2-CARBON-PATCH-4.4.0-0644 |
| CEP | WSO2 Complex Event Processor | 4.2.0 | WSO2-CARBON-PATCH-4.4.0-0662 WSO2-CARBON-PATCH-4.4.0-0665 |
| DAS | WSO2 Data Analytics Server | 3.1.0 | WSO2-CARBON-PATCH-4.4.0-0662 WSO2-CARBON-PATCH-4.4.0-0665 |
| DS | WSO2 Dashboard Server | 2.0.0 | WSO2-CARBON-PATCH-4.4.0-0644 WSO2-CARBON-PATCH-4.4.0-0656 |
| DSS | WSO2 Data Services Server | 3.5.1 | WSO2-CARBON-PATCH-4.4.0-0660 WSO2-CARBON-PATCH-4.4.0-0665 |
| ES | WSO2 Enterprise Store | 2.1.0 | WSO2-CARBON-PATCH-4.4.0-0654 WSO2-CARBON-PATCH-4.4.0-0679 |
| ESB | WSO2 Enterprise Service Bus | 5.0.0 | WSO2-CARBON-PATCH-4.4.0-0661 WSO2-CARBON-PATCH-4.4.0-0665 |
| GREG | WSO2 Governance Registry | 5.3.0 | WSO2-CARBON-PATCH-4.4.0-0654 WSO2-CARBON-PATCH-4.4.0-0666 WSO2-CARBON-PATCH-4.4.0-0679 |
| MB | WSO2 Message Broker | 3.1.0 | WSO2-CARBON-PATCH-4.4.0-0658 WSO2-CARBON-PATCH-4.4.0-0669 |
| ML | WSO2 Machine Learner | 1.2.0 | WSO2-CARBON-PATCH-4.4.0-0660 WSO2-CARBON-PATCH-4.4.0-0665 WSO2-CARBON-PATCH-4.4.0-0666 |
Info
If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.