Security Advisory WSO2-2017-0186

Published: March 06, 2017


AFFECTED PRODUCTS

  • WSO2 App Manager 1.2.0
  • WSO2 Application Server 5.3.0
  • WSO2 Business Process Server 3.6.0
  • WSO2 Business Rules Server 2.2.0
  • WSO2 Complex Event Processor 4.2.0
  • WSO2 Dashboard Server 2.0.0
  • WSO2 Data Analytics Server 3.1.0
  • WSO2 Data Services Server 3.5.1
  • WSO2 Enterprise Mobility Manager 2.2.0
  • WSO2 Enterprise Service Bus 5.0.0
  • WSO2 Enterprise Service Bus Analytics 5.0.0
  • WSO2 Enterprise Store 2.1.0
  • WSO2 Governance Registry 5.3.0
  • WSO2 Machine Learner 1.2.0
  • WSO2 Message Broker 3.1.0

OVERVIEW

A potential Stored XSS vulnerability has been identified in the WSO2 Server Roles Management UI component in the above-listed products where a user can inject an executable script as the server role name.

DESCRIPTION

In several versions of the WSO2 Server Roles Management UI component, Stored XSS attack can be performed when a malicious user injects an executable script as server role name by HTTP PUT/POST requests. This vulnerability affects all versions above 4.2.0 of the WSO2 Carbon Server Roles Management UI component (org.wso2.carbon.roles.mgt.ui_4.x.x.jar). The WSO2-CARBON-PATCH-4.2.0-1464 is an already existing patch which fixes the problem in org.wso2.carbon.roles.mgt.ui_4.2.0.jar.

This issue has been fixed in version 4.3.0 and 4.4.x of the WSO2 Carbon Server Roles Management UI component with security patches given for specific product versions.

IMPACT

As a consequence of the Stored XSS attack, the injected malicious script will appear to be part of the WSO2 Carbon Server Role web page, and will get executed within the user's browser whenever the web page is accessed. This leads to several malicious activities such as capturing sensitive information in the web pages, hijacking user session data and etc.

SOLUTION

The recommended solution is to apply relevant security updates/patches which fix the XSS vulnerability in the WSO2 Carbon Server Roles Management UI component. See below for details on patching or updating the affected component.

For WSO2 Update Manager (WUM) Supported Products

Use WUM to update the following products.

Code Product Version Patch
CEP WSO2 Complex Event Processor 4.2.0
DSS WSO2 Data Services Server 3.5.1
EMM WSO2 Enterprise Mobility Manager 2.2.0
ESB WSO2 Enterprise Service Bus 5.0.0
ESB Analytics WSO2 Enterprise Service Bus Analytics 5.0.0

For Other Products

Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to security@wso2.com.

Code Product Version Patch
APPM WSO2 App Manager 1.2.0 WSO2-CARBON-PATCH-4.4.0-0765
AS WSO2 Application Server 5.3.0 WSO2-CARBON-PATCH-4.4.0-0776
BPS WSO2 Business Process Server 3.6.0 WSO2-CARBON-PATCH-4.4.0-0768
BRS WSO2 Business Rules Server 2.2.0 WSO2-CARBON-PATCH-4.4.0-0757
CEP WSO2 Complex Event Processor 4.2.0 WSO2-CARBON-PATCH-4.4.0-0769
DAS WSO2 Data Analytics Server 3.1.0 WSO2-CARBON-PATCH-4.4.0-0769
DS WSO2 Dashboard Server 2.0.0 WSO2-CARBON-PATCH-4.4.0-0757
DSS WSO2 Data Services Server 3.5.1 WSO2-CARBON-PATCH-4.4.0-0769
EMM* WSO2 Enterprise Mobility Manager 2.2.0 WSO2-CARBON-PATCH-4.4.0-0770
ES WSO2 Enterprise Store 2.1.0 WSO2-CARBON-PATCH-4.4.0-0765
ESB WSO2 Enterprise Service Bus 5.0.0 WSO2-CARBON-PATCH-4.4.0-0768
ESB Analytics WSO2 Enterprise Service Bus Analytics 5.0.0 WSO2-CARBON-PATCH-4.4.0-0765
GREG WSO2 Governance Registry 5.3.0 WSO2-CARBON-PATCH-4.4.0-0765
MB WSO2 Message Broker 3.1.0 WSO2-CARBON-PATCH-4.4.0-0757
ML WSO2 Machine Learner 1.2.0 WSO2-CARBON-PATCH-4.4.0-0769

Info

If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.

CREDITS

WSO2 thanks, Marcin Woloszyn for responsibly reporting the identified issues and working with us as we addressed them.