Security Advisory WSO2-2017-0187

Published: March 06, 2017


AFFECTED PRODUCTS

  • WSO2 App Manager 1.2.0
  • WSO2 Application Server 5.3.0
  • WSO2 Business Process Server 3.6.0
  • WSO2 Business Rules Server 2.2.0
  • WSO2 Complex Event Processor 4.2.0
  • WSO2 Dashboard Server 2.0.0
  • WSO2 Data Analytics Server 3.1.0
  • WSO2 Data Services Server 3.5.1
  • WSO2 Enterprise Mobility Manager 2.2.0
  • WSO2 Enterprise Service Bus 5.0.0
  • WSO2 Enterprise Store 2.1.0
  • WSO2 Governance Registry 5.3.0
  • WSO2 Machine Learner 1.2.0
  • WSO2 Message Broker 3.1.0

OVERVIEW

The WSO2 Carbon UI and Message Flows UI components of above listed products have been identified to have a potential XSS vulnerability where a user can inject an executable script as user input.

DESCRIPTION

In WSO2 Carbon UI and Message Flows UI components, reflected XSS attack vulnerability is detected when a user injects a malicious executable script as user input when using carbon management console.

This issue has been fixed in affected components with security patches given for specific product versions.

IMPACT

An attacker can include malicious content in a request to Carbon UI and Message Flows UI pages of management console, and trick a user to click the malicious content via email or a neutral website. This reflects the attack back to the user’s browser and will execute the injected code, which may generate malicious page results that will mislead the victim or harm otherwise.

SOLUTION

The recommended solution is to apply relevant security updates/patches which fix the XSS vulnerability identified in the specific components used in products. See below for details on patching or updating the affected component.

For WSO2 Update Manager (WUM) Supported Products

Use WUM to update the following products.

Code Product Version Patch
CEP WSO2 Complex Event Processor 4.2.0
DSS WSO2 Data Services Server 3.5.1
ESB WSO2 Enterprise Service Bus 5.0.0
EMM WSO2 Enterprise Mobility Manager 2.2.0

For Other Products

Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to security@wso2.com.

Code Product Version Patch
APPM WSO2 App Manager 1.2.0 WSO2-CARBON-PATCH-4.4.0-0721
AS WSO2 Application Server 5.3.0 WSO2-CARBON-PATCH-4.4.0-0717
WSO2-CARBON-PATCH-4.4.0-0737
BPS WSO2 Business Process Server 3.6.0 WSO2-CARBON-PATCH-4.4.0-0724
BRS WSO2 Business Rules Server 2.2.0 WSO2-CARBON-PATCH-4.4.0-0723
WSO2-CARBON-PATCH-4.4.0-0736
CEP WSO2 Complex Event Processor 4.2.0 WSO2-CARBON-PATCH-4.4.0-0718
WSO2-CARBON-PATCH-4.4.0-0720
DAS WSO2 Data Analytics Server 3.1.0 WSO2-CARBON-PATCH-4.4.0-0718
DS WSO2 Dashboard Server 2.0.0 WSO2-CARBON-PATCH-4.4.0-0723
DSS WSO2 Data Services Server 3.5.1 WSO2-CARBON-PATCH-4.4.0-0718
WSO2-CARBON-PATCH-4.4.0-0720
EMM WSO2 Enterprise Mobility Manager 2.2.0 WSO2-CARBON-PATCH-4.4.0-0726
ES WSO2 Enterprise Store 2.1.0 WSO2-CARBON-PATCH-4.4.0-0721
ESB WSO2 Enterprise Service Bus 5.0.0 WSO2-CARBON-PATCH-4.4.0-0605
WSO2-CARBON-PATCH-4.4.0-0724
GREG WSO2 Governance Registry 5.3.0 WSO2-CARBON-PATCH-4.4.0-0721
MB WSO2 Message Broker 3.1.0 WSO2-CARBON-PATCH-4.4.0-0723
WSO2-CARBON-PATCH-4.4.0-0736
ML WSO2 Machine Learner 1.2.0 WSO2-CARBON-PATCH-4.4.0-0718

Info

If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.

CREDITS

WSO2 thanks, Marcin Woloszyn for responsibly reporting the identified issues and working with us as we addressed them.