Security Advisory WSO2-2017-0182¶
Published: March 06, 2017
AFFECTED PRODUCTS¶
- WSO2 Application Server 5.3.0
- WSO2 Business Process Server 3.6.0
- WSO2 Business Rules Server 2.2.0
- WSO2 Complex Event Processor 4.2.0
- WSO2 Data Analytics Server 3.1.0
- WSO2 Data Services Server 3.5.1
- WSO2 Enterprise Service Bus 5.0.0
- WSO2 Message Broker 3.1.0
OVERVIEW¶
The Carbon Commons component of the above-listed products has been identified to have potential Arbitrary File Read(AFR) and Arbitrary Directory Read (ADR) vulnerabilities.
DESCRIPTION¶
In several versions of the Carbon Commons component, a potential arbitrary file/directory read vulnerability has been discovered. Because of Arbitrary File Read(AFR) vulnerability, it is possible to read arbitrary files starting from the application root folder such as configuration files, binary files, etc. Because of Arbitrary Directory Read(ADR) vulnerability, it is possible to read the directory index of arbitrary directories within the application root folder which includes configuration and library directories.
IMPACT¶
As a result of AFR, sensitive data can be read from configuration files present within the carbon server via Remote Code Execution (RCE). In addition to that, the contents of important directories can be scanned via ADR.
SOLUTION¶
The recommended solution is to apply relevant security patches to products which fix the vulnerability in the affected component.
For WSO2 Update Manager (WUM) Supported Products¶
Use WUM to update the following products.
| Code | Product | Version | Patch |
|---|---|---|---|
| ESB | WSO2 Enterprise Service Bus | 5.0.0 | |
| CEP | WSO2 Complex Event Processor | 4.2.0 | |
| DSS | WSO2 Data Services Server | 3.5.1 |
For Other Products¶
Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to security@wso2.com.
| Code | Product | Version | Patch |
|---|---|---|---|
| AS | WSO2 Application Server | 5.3.0 | WSO2-CARBON-PATCH-4.4.0-0713 |
| BPS | WSO2 Business Process Server | 3.6.0 | WSO2-CARBON-PATCH-4.4.0-0581 |
| BRS | WSO2 Business Rules Server | 2.2.0 | WSO2-CARBON-PATCH-4.4.0-0648 |
| CEP | WSO2 Complex Event Processor | 4.2.0 | WSO2-CARBON-PATCH-4.4.0-0581 |
| DAS | WSO2 Data Analytics Server | 3.1.0 | WSO2-CARBON-PATCH-4.4.0-0581 |
| DSS | WSO2 Data Services Server | 3.5.1 | WSO2-CARBON-PATCH-4.4.0-0581 |
| ESB | WSO2 Enterprise Service Bus | 5.0.0 | WSO2-CARBON-PATCH-4.4.0-0581 |
| MB | WSO2 Message Broker | 3.1.0 | WSO2-CARBON-PATCH-4.4.0-0648 |
Info
If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.
CREDITS¶
WSO2 thanks, Marcin Woloszyn for responsibly reporting the identified issues and working with us as we addressed them.