Security Advisory WSO2-2017-0212

Published: July 10, 2017

Severity: Low

CVSS Score: 2.6 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N)


AFFECTED PRODUCTS

  • WSO2 API Manager 2.1.0
  • WSO2 API Manager Analytics 2.1.0
  • WSO2 App Manager 1.2.0
  • WSO2 Application Server 5.3.0
  • WSO2 Business Process Server 3.6.0
  • WSO2 Business Rules Server 2.2.0
  • WSO2 Complex Event Processor 4.2.0
  • WSO2 Data Analytics Server 3.1.0
  • WSO2 Dashboard Server 2.0.0
  • WSO2 Data Services Server 3.5.1
  • WSO2 Enterprise Mobility Manager 2.2.0
  • WSO2 Enterprise Service Bus 5.0.0
  • WSO2 Enterprise Service Bus Analytics 5.0.0
  • WSO2 IoT Server 3.0.0
  • WSO2 Identity Server 5.3.0
  • WSO2 Identity Server Analytics 5.3.0
  • WSO2 Machine Learner 1.2.0

OVERVIEW

A potential sensitive data exposure vulnerability through the advanced search option is detected in the Management Console of the above-listed product versions.

DESCRIPTION

In the Management Console advancedSearch parameters might contain sensitive information which will get logged in access_logs. Therefore, it is required to change the search form submission to HTTP POST in order to prevent logging sensitive information. This security fix will prevent logging sensitive information in access_logs.

IMPACT

The user's sensitive information might be exposed through the http_access_logs and might be misused if it falls into the hands of an attacker.

SOLUTION

Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to security@wso2.com.

Code Product Version Patch
AM WSO2 API Manager 2.1.0 WSO2-CARBON-PATCH-4.4.0-0913
AM-Analytics WSO2 API Manager Analytics 2.1.0 WSO2-CARBON-PATCH-4.4.0-0913
AppM WSO2 App Manager 1.2.0 WSO2-CARBON-PATCH-4.4.0-0911
AS WSO2 Application Server 5.3.0 WSO2-CARBON-PATCH-4.4.0-0896
BPS WSO2 Business Process Server 3.6.0 WSO2-CARBON-PATCH-4.4.0-0912
BRS WSO2 Business Rules Server 2.2.0 WSO2-CARBON-PATCH-4.4.0-0896
CEP WSO2 Complex Event Processor 4.2.0 WSO2-CARBON-PATCH-4.4.0-0913
DS WSO2 Dashboard Server 2.0.0 WSO2-CARBON-PATCH-4.4.0-0894
DAS WSO2 Data Analytics Server 3.1.0 WSO2-CARBON-PATCH-4.4.0-0913
DSS WSO2 Data Services Server 3.5.1 WSO2-CARBON-PATCH-4.4.0-0911
EMM WSO2 Enterprise Mobility Manager 2.2.0 WSO2-CARBON-PATCH-4.4.0-0915
ESB WSO2 Enterprise Service Bus 5.0.0 WSO2-CARBON-PATCH-4.4.0-0912
ESB-Analytics WSO2 Enterprise Service Bus Analytics 5.0.0 WSO2-CARBON-PATCH-4.4.0-0911
IS WSO2 Identity Server 5.3.0 WSO2-CARBON-PATCH-4.4.0-0914
IS-Analytics WSO2 Identity Server Analytics 5.3.0 WSO2-CARBON-PATCH-4.4.0-0913
IoTS WSO2 IoT Server 3.0.0 WSO2-CARBON-PATCH-4.4.0-0913
ML WSO2 Machine Learner 1.2.0 WSO2-CARBON-PATCH-4.4.0-0911

Info

If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.