Security Advisory WSO2-2017-0185

Published: March 06, 2017


AFFECTED PRODUCTS

  • WSO2 Application Server 5.3.0
  • WSO2 Business Process Server 3.6.0
  • WSO2 Business Rules Server 2.2.0
  • WSO2 Complex Event Processor 4.2.0
  • WSO2 Data Analytics Server 3.1.0
  • WSO2 Data Services Server 3.5.1
  • WSO2 Enterprise Service Bus 5.0.0
  • WSO2 Message Broker 3.1.0

OVERVIEW

A potential XML External Entity (XXE) vulnerability has been identified in the Carbon Try-it tool of the WSO2 Carbon Commons component used in the above-listed products.

DESCRIPTION

The Carbon Commons component has been identified to have a potential XXE vulnerability in the Carbon Try-it tool where the application XML parser is accepting DOCTYPE in provided XML documents either directly or indirectly, using a URL.

IMPACT

The XXE attacks can affect any trusted system respective to the machine where the parser is located. This attack can result in disclosing local files, denial of service, server-side request forgery, port scanning and other system impacts on affected systems.

SOLUTION

The recommended solution is to apply relevant security updates/patches to products which fix the XXE vulnerability in affected components.

See below for details on patching or updating the affected component.

For WSO2 Update Manager (WUM) Supported Products

Use WUM to update the following products.

Code Product Version Patch
CEP WSO2 Complex Event Processor 4.2.0
ESB WSO2 Enterprise Service Bus 5.0.0
DSS WSO2 Data Services Server 3.5.1

For Other Products

Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to security@wso2.com.

Code Product Version Patch
AS WSO2 Application Server 5.3.0 WSO2-CARBON-PATCH-4.4.0-0626
BPS WSO2 Business Process Server 3.6.0 WSO2-CARBON-PATCH-4.4.0-0628
BRS WSO2 Business Rules Server 2.2.0 WSO2-CARBON-PATCH-4.4.0-0632
CEP WSO2 Complex Event Processor 4.2.0 WSO2-CARBON-PATCH-4.4.0-0628
DAS WSO2 Data Analytics Server 3.1.0 WSO2-CARBON-PATCH-4.4.0-0628
DSS WSO2 Data Services Server 3.5.1 WSO2-CARBON-PATCH-4.4.0-0628
ESB WSO2 Enterprise Service Bus 5.0.0 WSO2-CARBON-PATCH-4.4.0-0628
MB WSO2 Message Broker 3.1.0 WSO2-CARBON-PATCH-4.4.0-0632

Info

If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.

CREDITS

WSO2 thanks, Marcin Woloszyn for responsibly reporting the identified issues and working with us as we addressed them.