Security Advisory WSO2-2017-0179

Published: 6th March 2017

AFFECTED PRODUCTS

WSO2 App Manager 1.2.0

WSO2 Application Server 5.3.0

WSO2 Business Process Server 3.6.0

WSO2 Business Rules Server 2.2.0

WSO2 Complex Event Processor 4.2.0

WSO2 Dashboard Server 2.0.0

WSO2 Data Analytics Server 3.1.0

WSO2 Data Services Server 3.5.1

WSO2 Enterprise Service Bus 5.0.0

WSO2 Enterprise Store 2.1.0

WSO2 Governance Registry 5.3.0

WSO2 Machine Learner 1.2.0

WSO2 Message Broker 3.1.0

OVERVIEW

The above listed products have been identified to have several potential Cross-Site Scripting(XSS) vulnerabilities.

DESCRIPTION

In several versions of following components, XSS vulnerabilities have been discovered where a malicious user could inject an executable script as an input via the product’s management console.

• WSO2 Carbon Governance

• WSO2 Carbon Registry

• WSO2 Tenant management

• WSO2 Carbon Webapp Management

 IMPACT

As a consequence of the Stored XSS attack, the malicious data will be appeared to be part of the carbon management console of affected components, and get executed within the user’s browser whenever the web page is accessed. This leads to several malicious activities such as capturing sensitive information in the web pages, hijacking user data and etc.

SOLUTION

The recommended solution is to apply relevant security patches to products which fix the XSS vulnerability in affected components.

For WSO2 Update Manager (WUM) Supported Products

Please use WUM to update the following products.

For Other Products

Apply the following patches based on your product version by following the instructions in the README file. If you have any questions, post them to security@wso2.com.

Please download the relevant patches based on the products you use following the matrix below. Patches can also be downloaded from http://wso2.com/security-patch-releases/.

NOTES

If you are using newer versions of the products than the ones mentioned in the “SOLUTION” section, this vulnerability is fixed.