Security Advisory WSO2-2016-0098
- Former user (Deleted)
- Former user (Deleted)
Published: 12th August 2016
OVERVIEW
WSO2 products are vulnerable to Local File Inclusion (LFI) issue via LogViewer Admin Service.
DESCRIPTION
An authenticated user can download configuration files in the filesystem via downloadArchivedLogFiles operation in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. <WSO2_PRODUCT_HOME>/repository/logs), hence can access any file in the file system.
IMPACT
An authorized user with admin privileges can download any file in the file system through LogViewer admin service.
SOLUTION
Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from http://wso2.com/security-patch-releases/.
If you have any questions, post them to security@wso2.com.
Code | Product | Version | Patch |
|---|---|---|---|
AS | WSO2 Application Server | 5.3.0 | |
BPS | WSO2 Business Process Server | 3.5.1 | |
BRS | WSO2 Business Rules Server | 2.2.0 | |
CEP | WSO2 Complex Event Processor | 4.1.0 | |
DAS | WSO2 Data Analytics Server | 3.0.1 | |
DS | WSO2 Dashboard Server | 2.0.0 | |
DSS | WSO2 Data Services Server | 3.5.0 | |
EMM | WSO2 Enterprise Mobility Manager | 2.0.1 | |
ES | WSO2 Enterprise Store | 2.0.0 | |
ESB | WSO2 Enterprise Service Bus | 4.9.0 | |
GREG | WSO2 Governance Registry | 5.2.0 | |
IS | WSO2 Identity Server | 5.1.0 | |
MB | WSO2 Message Broker | 3.1.0 | |
ML | WSO2 Machine Learner | 1.1.0 | WSO2-CARBON-PATCH-4.4.0-0202 |
NOTES
If you are using newer versions of the products than the ones mentioned in the “SOLUTION” section, this vulnerability is fixed.
CREDITS
WSO2 thanks, John Page aka hyp3rlinx for responsibly reporting the identified issues and working with us as we addressed them.