Security Advisory WSO2-2017-0188¶
Published: March 06, 2017
AFFECTED PRODUCTS¶
- WSO2 Application Server 5.3.0
- WSO2 Business Process Server 3.6.0
- WSO2 Business Rules Server 2.2.0
- WSO2 Complex Event Processor 4.2.0
- WSO2 Data Analytics Server 3.1.0
- WSO2 Data Services Server 3.5.1
- WSO2 Enterprise Service Bus 5.0.0
OVERVIEW¶
The WSO2 Carbon New Data Sources UI component of the above-listed products has been identified to have a potential XSS vulnerability where a user can inject an executable script as user input.
DESCRIPTION¶
In the Carbon New Data Sources UI component, reflected XSS attack vulnerability is detected when a user injects a malicious executable script as user input using the carbon management console.
This issue has been fixed in the affected component with security patches given for specific products.
IMPACT¶
An attacker can include malicious content in a request to Carbon New Data Sources UI page of management console, and trick a user to click the malicious content via email or a neutral website. This reflects the attack back to the user's browser and will execute the injected code, which may generate malicious page results that will mislead the victim or harm otherwise.
SOLUTION¶
The recommended solution is to apply relevant security patches which fix the XSS vulnerability identified in the specific components used in products. See below for details on patching or updating the affected component.
For WSO2 Update Manager (WUM) Supported Products¶
Use WUM to update the following products.
| Code | Product | Version | Patch |
|---|---|---|---|
| CEP | WSO2 Complex Event Processor | 4.2.0 | |
| DSS | WSO2 Data Services Server | 3.5.1 | |
| ESB | WSO2 Enterprise Service Bus | 5.0.0 |
For Other Products¶
Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to security@wso2.com.
| Code | Product | Version | Patch |
|---|---|---|---|
| AS | WSO2 Application Server | 5.3.0 | WSO2-CARBON-PATCH-4.4.0-0719 |
| BPS | WSO2 Business Process Server | 3.6.0 | WSO2-CARBON-PATCH-4.4.0-0630 |
| BRS | WSO2 Business Rules Server | 2.2.0 | WSO2-CARBON-PATCH-4.4.0-0716 |
| CEP | WSO2 Complex Event Processor | 4.2.0 | WSO2-CARBON-PATCH-4.4.0-0630 |
| DAS | WSO2 Data Analytics Server | 3.1.0 | WSO2-CARBON-PATCH-4.4.0-0630 |
| DSS | WSO2 Data Services Server | 3.5.1 | WSO2-CARBON-PATCH-4.4.0-0630 |
| ESB | WSO2 Enterprise Service Bus | 5.0.0 | WSO2-CARBON-PATCH-4.4.0-0630 |
Info
If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.
CREDITS¶
WSO2 thanks, Marcin Woloszyn for responsibly reporting the identified issues and working with us as we addressed them.