Published: 12th August 2016

OVERVIEW

Upgrade the embedded Apache Tomcat version to 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Responses.

DESCRIPTION

With the Apache Tomcat upgrade, following Common Vulnerability Exposures are fixed.

CVE-2015-5174 : Limited directory traversal
CVE-2015-5345 : Directory disclosure
CVE-2015-5346 : Session Fixation
CVE-2015-5351 : CSRF token leak
CVE-2016-0706 : Security Manager bypass
CVE-2016-0714 : Security Manager bypass
CVE-2016-0763 : Security Manager bypass

Supportability for following security headers in HTTP responses are also added with the upgrade.

Strict-Transport-Security
X-Frame-Options
X-Content-Type-Options
X-XSS-Protection

IMPACT

The WSO2 servers are exposed to known vulnerabilities of Apache Tomcat versions prior to 7.0.69.

SOLUTION

Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from http://wso2.com/security-patch-releases/.

For some of the products, there may be two patches (kernel patch and platform patch) that need to be applied. In such situations refrain from restarting the server for each patch, rather apply both the patches and then restart the server.

If you have any questions, post them to security@wso2.com.

Code	Product	Version	Patch
AS	WSO2 Application Server	5.3.0	WSO2-CARBON-PATCH-4.4.0-0237 WSO2-CARBON-PATCH-4.4.0-0257
BPS	WSO2 Business Process Server	3.5.1	WSO2-CARBON-PATCH-4.4.0-0234 WSO2-CARBON-PATCH-4.4.0-0239
BRS	WSO2 Business Rules Server	2.2.0	WSO2-CARBON-PATCH-4.4.0-0235 WSO2-CARBON-PATCH-4.4.0-0240
CEP	WSO2 Complex Event Processor	4.1.0	WSO2-CARBON-PATCH-4.4.0-0235 WSO2-CARBON-PATCH-4.4.0-0241
DAS	WSO2 Data Analytics Server	3.0.1	WSO2-CARBON-PATCH-4.4.0-0235 WSO2-CARBON-PATCH-4.4.0-0240
DS	WSO2 Dashboard Server	2.0.0	WSO2-CARBON-PATCH-4.4.0-0235 WSO2-CARBON-PATCH-4.4.0-0243
DSS	WSO2 Data Services Server	3.5.0	WSO2-CARBON-PATCH-4.4.0-0236 WSO2-CARBON-PATCH-4.4.0-0241
EMM	WSO2 Enterprise Mobility Manager	2.0.1	WSO2-CARBON-PATCH-4.4.0-0235 WSO2-CARBON-PATCH-4.4.0-0240
ES	WSO2 Enterprise Store	2.0.0	WSO2-CARBON-PATCH-4.4.0-0237 WSO2-CARBON-PATCH-4.4.0-0243
ESB	WSO2 Enterprise Service Bus	4.9.0	WSO2-CARBON-PATCH-4.4.0-0237
GREG	WSO2 Governance Registry	5.2.0	WSO2-CARBON-PATCH-4.4.0-0233 WSO2-CARBON-PATCH-4.4.0-0239
IS	WSO2 Identity Server	5.1.0	WSO2-CARBON-PATCH-4.4.0-0235 WSO2-CARBON-PATCH-4.4.0-0241
MB	WSO2 Message Broker	3.1.0	WSO2-CARBON-PATCH-4.4.0-0235
ML	WSO2 Machine Learner	1.1.0	WSO2-CARBON-PATCH-4.4.0-0235 WSO2-CARBON-PATCH-4.4.0-0243

NOTES

If you are using newer versions of the products than the ones mentioned in the “SOLUTION” section, this vulnerability is fixed.

Browser not supported