Security Advisory WSO2-2017-0177¶
Published: March 06, 2017
AFFECTED PRODUCTS¶
- WSO2 Application Server 5.3.0
- WSO2 Data Services Server 3.5.1
- WSO2 Enterprise Service Bus 5.0.0
- WSO2 Message Broker 3.1.0
OVERVIEW¶
A potential XML External Entity (XXE) vulnerability has been identified in the WSDL tool of the WSO2 Carbon Commons component used in the above-listed products.
DESCRIPTION¶
The Carbon Commons component has been identified with a potential XXE vulnerability when using the WSDL Validator Tool where the application XML parser is accepting DOCTYPE in provided XML documents either directly or indirectly, using a URL.
IMPACT¶
The XXE attacks can affect any trusted system respective to the machine where the parser is located. This attack can result in disclosing local files, denial of service, server-side request forgery, port scanning and other system impacts on affected systems.
SOLUTION¶
The recommended solution is to apply the relevant security patch which fixes the XXE vulnerability in the WSO2 Carbon Commons component used in the listed products.
See below for details on patching or updating the affected component.
For WSO2 Update Manager (WUM) Supported Products¶
Use WUM to update the following products.
| Code | Product | Version | Patch |
|---|---|---|---|
| DSS | WSO2 Data Services Server | 3.5.1 | |
| ESB | WSO2 Enterprise Service Bus | 5.0.0 |
For Other Products¶
Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to security@wso2.com.
| Code | Product | Version | Patch |
|---|---|---|---|
| AS | WSO2 Application Server | 5.3.0 | WSO2-CARBON-PATCH-4.4.0-0616 |
| DSS | WSO2 Data Services Server | 3.5.1 | WSO2-CARBON-PATCH-4.4.0-0618 |
| ESB | WSO2 Enterprise Service Bus | 5.0.0 | WSO2-CARBON-PATCH-4.4.0-0618 |
| MB | WSO2 Message Broker | 3.1.0 | WSO2-CARBON-PATCH-4.4.0-0617 |
Info
If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.
CREDITS¶
WSO2 thanks, Marcin Woloszyn for responsibly reporting the identified issues and working with us as we addressed them.