Security Advisory WSO2-2017-0212¶
Published: July 10, 2017
Severity: Low
CVSS Score: 2.6 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N)
AFFECTED PRODUCTS¶
- WSO2 API Manager 2.1.0
- WSO2 API Manager Analytics 2.1.0
- WSO2 App Manager 1.2.0
- WSO2 Application Server 5.3.0
- WSO2 Business Process Server 3.6.0
- WSO2 Business Rules Server 2.2.0
- WSO2 Complex Event Processor 4.2.0
- WSO2 Data Analytics Server 3.1.0
- WSO2 Dashboard Server 2.0.0
- WSO2 Data Services Server 3.5.1
- WSO2 Enterprise Mobility Manager 2.2.0
- WSO2 Enterprise Service Bus 5.0.0
- WSO2 Enterprise Service Bus Analytics 5.0.0
- WSO2 IoT Server 3.0.0
- WSO2 Identity Server 5.3.0
- WSO2 Identity Server Analytics 5.3.0
- WSO2 Machine Learner 1.2.0
OVERVIEW¶
A potential sensitive data exposure vulnerability through the advanced search option is detected in the Management Console of the above-listed product versions.
DESCRIPTION¶
In the Management Console advancedSearch parameters might contain sensitive information which will get logged in access_logs. Therefore, it is required to change the search form submission to HTTP POST in order to prevent logging sensitive information. This security fix will prevent logging sensitive information in access_logs.
IMPACT¶
The user's sensitive information might be exposed through the http_access_logs and might be misused if it falls into the hands of an attacker.
SOLUTION¶
Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to security@wso2.com.
| Code | Product | Version | Patch |
|---|---|---|---|
| AM | WSO2 API Manager | 2.1.0 | WSO2-CARBON-PATCH-4.4.0-0913 |
| AM-Analytics | WSO2 API Manager Analytics | 2.1.0 | WSO2-CARBON-PATCH-4.4.0-0913 |
| AppM | WSO2 App Manager | 1.2.0 | WSO2-CARBON-PATCH-4.4.0-0911 |
| AS | WSO2 Application Server | 5.3.0 | WSO2-CARBON-PATCH-4.4.0-0896 |
| BPS | WSO2 Business Process Server | 3.6.0 | WSO2-CARBON-PATCH-4.4.0-0912 |
| BRS | WSO2 Business Rules Server | 2.2.0 | WSO2-CARBON-PATCH-4.4.0-0896 |
| CEP | WSO2 Complex Event Processor | 4.2.0 | WSO2-CARBON-PATCH-4.4.0-0913 |
| DS | WSO2 Dashboard Server | 2.0.0 | WSO2-CARBON-PATCH-4.4.0-0894 |
| DAS | WSO2 Data Analytics Server | 3.1.0 | WSO2-CARBON-PATCH-4.4.0-0913 |
| DSS | WSO2 Data Services Server | 3.5.1 | WSO2-CARBON-PATCH-4.4.0-0911 |
| EMM | WSO2 Enterprise Mobility Manager | 2.2.0 | WSO2-CARBON-PATCH-4.4.0-0915 |
| ESB | WSO2 Enterprise Service Bus | 5.0.0 | WSO2-CARBON-PATCH-4.4.0-0912 |
| ESB-Analytics | WSO2 Enterprise Service Bus Analytics | 5.0.0 | WSO2-CARBON-PATCH-4.4.0-0911 |
| IS | WSO2 Identity Server | 5.3.0 | WSO2-CARBON-PATCH-4.4.0-0914 |
| IS-Analytics | WSO2 Identity Server Analytics | 5.3.0 | WSO2-CARBON-PATCH-4.4.0-0913 |
| IoTS | WSO2 IoT Server | 3.0.0 | WSO2-CARBON-PATCH-4.4.0-0913 |
| ML | WSO2 Machine Learner | 1.2.0 | WSO2-CARBON-PATCH-4.4.0-0911 |
Info
If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.