WSO2 Security Patch Releases

Refer to documentation on the WSO2 Patch Application Process for more details on how to apply service packs and individual patches to the WSO2 product.
Select Product   
Product Security Patch Product Version Description Released Date
API Manager Update via WSO2 Update Manager

WSO2 API Manager provides an API for swagger definition import by swagger resource url. This particular API is vulnerable for unauthorized user access and it can be invoked by anonymous users. Thus an attacker who doesn’t even have credentials to access API Publisher, can possibly access the swagger definition url import API.

Security Advisory Link

Nov 08, 2016
Update via WSO2 Update Manager

An attacker with access to the WSO2 Management Console can input a malicious XXE script in the try-it tool UI menu or can directly attack with xml input and disclose any file located in the file system. The reflected and stored XSS vulnerabilities allow deployment of malicious code in the application by means of providing specifically crafted url to a user.

Security Advisory Link

Nov 08, 2016
Update via WSO2 Update Manager

When a user browses a page where it contains some sensitive data and logout from the management console, still users can go back (by using browser’s Back button) and view that page without login due to browser cache.

Security Advisory Link

Nov 08, 2016
Update via WSO2 Update Manager

According to http://www.securityfocus.com/bid/58536/info, H2 database versions prior to 1.3.171 are vulnerable to Remote Security Bypass Vulnerability.

Security Advisory Link

Nov 08, 2016
Update via WSO2 Update Manager

Following pages in the management console were found to be vulnerable to open redirect attacks, in the products mentioned here.
- XACML Policy Administration
- Identity Provider Management
- Workflow Management
- User Management
An attacker can possibly attack the above UI components, by modifying some query parameters that contain a URL value in management console context. They can modify the respective query parameter value such that the management console will redirect the request to the specified URL.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0420

XSS vulnerabilities were discovered in the Message Flows component. An attacker can possibly attack the management console, via that component, using reflected XSS. He can inject malicious scripts as a part of the URL which will be reflected in that component's pages.

Security Advisory Link

Sep 30, 2016
WSO2-CARBON-PATCH-4.4.0-0398

Error responses returned by the WSO2 API Manager were discovered to be vulnerable to XSS attack, the requests made to an API with resource paths containing invalid contexts/resource names/methods that are made of malicious scripts could result in reflected XSS attacks.

Security Advisory Link

Sep 30, 2016
WSO2-CARBON-PATCH-4.4.0-0382

XSS vulnerabilities were discovered in the Message Flows component. An attacker can possibly attack the management console, via that component, using reflected XSS. He can inject malicious scripts as a part of the URL which will be reflected in that component's pages.

Security Advisory Link

Sep 30, 2016
WSO2-CARBON-PATCH-4.4.0-0370

Carbon Metrics component of WSO2 Products are discovered to be vulnerable to XSS attacks, an attacker can possibly attack the management console, via that component, using reflected XSS. He can inject malicious scripts as a part of the URL which will be reflected in that component's pages.

Security Advisory Link

Sep 30, 2016
WSO2-CARBON-PATCH-4.4.0-0366

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0365

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0327

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0084

WSO2 API Manager, Publisher application's documentation link section is vulnerable to Cross Site Scripting (XSS), which affects documentation section of WSO2 API Manager, Store application as well. Swagger UI component of WSO2 API Manager Store application is vulnerable to XSS as well. In addition API Manager, Store and Publisher applications does not renew session ID upon user login, resulting in possibility to perform Session Fixation attack.

May 24, 2016
WSO2-CARBON-PATCH-4.2.0-1826

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.2.0-1825

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0176

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0044

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.3.0-0003

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1699

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.1.0-0326

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0665

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0667

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0666

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0664

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-0955

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1154

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1261

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1262

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1636

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.1.0-0324 The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here Nov 25, 2015
WSO2-CARBON-PATCH-4.0.0-0661

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.1.0-0322

WSO2 products based on Kernel Version 4.1.0 are vulnerable to XSS and CSRF attacks. XSS enables attackers to inject client-side script into web pages viewed by other users, while CSRF forces an end user to execute unwanted actions on a web application to which they are currently authenticated. This vulnerability allows attackers to bypass access controls, such as the same-origin policy and malicious exploitation of a website, where unauthorized commands are transmitted from a user that the website trusts.

Nov 11, 2015
WSO2-CARBON-PATCH-4.2.0-1464

WSO2 products based on Kernel Version 4.1.0 are vulnerable to XSS and CSRF attacks. XSS enables attackers to inject client-side script into web pages viewed by other users, while CSRF forces an end user to execute unwanted actions on a web application to which they are currently authenticated. This vulnerability allows attackers to bypass access controls, such as the same-origin policy and malicious exploitation of a website, where unauthorized commands are transmitted from a user that the website trusts.

Oct 11, 2015
WSO2-CARBON-PATCH-4.2.0-1095

In light of the prevailing vulnerability of Apache WSS4J to Bleichenbacher attacks, we have identified a vulnerability in WSO2 Carbon 4.2.0 products that use WS-Security features from the Apache WSS4J library. Of a number of attacks on PKCS#1 v1.5 Key Transport Algorithm - used to encrypt symmetric keys as part of WS-Security - one attack exploits the ability for WSS4J to leak information on where particular decryption operations fail. This vulnerability has been fixed by generating a new symmetric key, so that the attacker would not be able to find out if the failure was due to decrypting the key or the data. However, it is still possible for attackers to craft a message in order to find out where the decryption failure took place, again leaving WSS4J vulnerable to the original attack. In Apache WSS4J, this is fixed in http://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc, and this fix has been merged in to the WSS4J library used in WSO2 Carbon 4.2.0 products.

Jun 03, 2015
API Manager Analytics WSO2-CARBON-PATCH-4.4.0-0366

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
App Factory WSO2-CARBON-PATCH-4.2.0-1825

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.2.0-1699

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.1.0-0326

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1261

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1262

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1636

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.1.0-0324 The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here Nov 25, 2015
WSO2-CARBON-PATCH-4.2.0-1464

WSO2 products based on Kernel Version 4.1.0 are vulnerable to XSS and CSRF attacks. XSS enables attackers to inject client-side script into web pages viewed by other users, while CSRF forces an end user to execute unwanted actions on a web application to which they are currently authenticated. This vulnerability allows attackers to bypass access controls, such as the same-origin policy and malicious exploitation of a website, where unauthorized commands are transmitted from a user that the website trusts.

Oct 11, 2015
WSO2-CARBON-PATCH-4.2.0-1095

In light of the prevailing vulnerability of Apache WSS4J to Bleichenbacher attacks, we have identified a vulnerability in WSO2 Carbon 4.2.0 products that use WS-Security features from the Apache WSS4J library. Of a number of attacks on PKCS#1 v1.5 Key Transport Algorithm - used to encrypt symmetric keys as part of WS-Security - one attack exploits the ability for WSS4J to leak information on where particular decryption operations fail. This vulnerability has been fixed by generating a new symmetric key, so that the attacker would not be able to find out if the failure was due to decrypting the key or the data. However, it is still possible for attackers to craft a message in order to find out where the decryption failure took place, again leaving WSS4J vulnerable to the original attack. In Apache WSS4J, this is fixed in http://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc, and this fix has been merged in to the WSS4J library used in WSO2 Carbon 4.2.0 products.

Jun 03, 2015
App Manager WSO2-CARBON-PATCH-4.4.0-0552

Following pages in the management console were found to be vulnerable to open redirect attacks, in the products mentioned here.XACML Policy Administration Identity Provider Management Workflow Management User Management An attacker can possibly attack the above UI components, by modifying some query parameters that contain a URL value in management console context. They can modify the respective query parameter value such that the management console will redirect the request to the specified URL.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0543

An attacker with access to the WSO2 Management Console can input a malicious XXE script in the try-it tool UI menu or can directly attack with xml input and disclose any file located in the file system. The reflected and stored XSS vulnerabilities allow deployment of malicious code in the application by means of providing specifically crafted url to a user.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0536

When a user browses a pages where it contains some sensitive data, and logout from the management console, still users can go back (by using browser’s Back button) and view that page without login due to browser cache.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0463

According to http://www.securityfocus.com/bid/58536/info, H2 database versions prior to 1.3.171 are vulnurable to Remote Security Bypass Vulnerability.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0429

Testing the connection from the WSO2 server’s management console while adding a secondary JDBC user store initiates a HTTP GET request, including the connection credentials in URL query parameters. Thus, database connection credentials get exposed and also gets logged in HTTP access logs.

Security Advisory Link

Oct 31, 2016
WSO2-CARBON-PATCH-4.4.0-0384

The Apache Commons Collections library contains various classes in the "functor" package which are serializable and use reflection. This can be exploited for remote code execution attacks by injecting specially crafted objects to applications that de-serialize java objects from untrusted sources.

Security Advisory Link

Oct 31, 2016
WSO2-CARBON-PATCH-4.4.0-0365

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0339

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0327

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0326

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.2.0-1826

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.2.0-1699

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1636

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.2.0-1464

WSO2 products based on Kernel Version 4.1.0 are vulnerable to XSS and CSRF attacks. XSS enables attackers to inject client-side script into web pages viewed by other users, while CSRF forces an end user to execute unwanted actions on a web application to which they are currently authenticated. This vulnerability allows attackers to bypass access controls, such as the same-origin policy and malicious exploitation of a website, where unauthorized commands are transmitted from a user that the website trusts.

Oct 11, 2015
Application Server WSO2-CARBON-PATCH-4.4.0-0531

When a user browses a pages where it contains some sensitive data, and logout from the management console, still users can go back (by using browser’s Back button) and view that page without login due to browser cache.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0514

Apache Axis2 1.6.2 uses commons-httpclient-3.1.0 and host name verification should be enabled in the commons-httpclient.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0463

According to http://www.securityfocus.com/bid/58536/info, H2 database versions prior to 1.3.171 are vulnurable to Remote Security Bypass Vulnerability.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0443

When a new username and password is entered in a form and the form is submitted, the browser asks if the password should be saved.Thereafter when the form is displayed, the username and password are filled in automatically or are completed as the username is entered.

Security Advisory Link

Oct 31, 2016
WSO2-CARBON-PATCH-4.4.0-0432

Testing the connection from the WSO2 server’s management console while adding a secondary JDBC user store initiates a HTTP GET request, including the connection credentials in URL query parameters. Thus, database connection credentials get exposed and also gets logged in HTTP access logs.

Security Advisory Link

Oct 31, 2016
WSO2-CARBON-PATCH-4.4.0-0384

The Apache Commons Collections library contains various classes in the "functor" package which are serializable and use reflection. This can be exploited for remote code execution attacks by injecting specially crafted objects to applications that de-serialize java objects from untrusted sources.

Security Advisory Link

Oct 31, 2016
WSO2-CARBON-PATCH-4.4.0-0382

XSS vulnerabilities were discovered in the Message Flows component. An attacker can possibly attack the management console, via that component, using reflected XSS. He can inject malicious scripts as a part of the URL which will be reflected in that component's pages.

Security Advisory Link

Sep 30, 2016
WSO2-CARBON-PATCH-4.4.0-0354

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0347

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0257

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0237

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0218

Preventing a possible server shutdown through a Cross Site Request Forgery (CSRF) attack.

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0202

Fixing the Local File Inclusion (LFI) vulnerability in LogViewer Admin Service

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.2.0-1825

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.2.0-1825

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0177

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0044

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.4.0-0042

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.4.0-0043

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1699

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.1.0-0326

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0665

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0667

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0666

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0664

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-0955

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1193

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1261

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1262

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.4.0-0016

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.2.0-1636

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.1.0-0324

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.0.0-0661 The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here Nov 25, 2015
WSO2-CARBON-PATCH-4.1.0-0322

WSO2 products based on Kernel Version 4.1.0 are vulnerable to XSS and CSRF attacks. XSS enables attackers to inject client-side script into web pages viewed by other users, while CSRF forces an end user to execute unwanted actions on a web application to which they are currently authenticated. This vulnerability allows attackers to bypass access controls, such as the same-origin policy and malicious exploitation of a website, where unauthorized commands are transmitted from a user that the website trusts.

Nov 11, 2015
WSO2-CARBON-PATCH-4.2.0-1464

WSO2 products based on Kernel Version 4.1.0 are vulnerable to XSS and CSRF attacks. XSS enables attackers to inject client-side script into web pages viewed by other users, while CSRF forces an end user to execute unwanted actions on a web application to which they are currently authenticated. This vulnerability allows attackers to bypass access controls, such as the same-origin policy and malicious exploitation of a website, where unauthorized commands are transmitted from a user that the website trusts.

Oct 11, 2015
WSO2-CARBON-PATCH-4.2.0-1095

In light of the prevailing vulnerability of Apache WSS4J to Bleichenbacher attacks, we have identified a vulnerability in WSO2 Carbon 4.2.0 products that use WS-Security features from the Apache WSS4J library. Of a number of attacks on PKCS#1 v1.5 Key Transport Algorithm - used to encrypt symmetric keys as part of WS-Security - one attack exploits the ability for WSS4J to leak information on where particular decryption operations fail. This vulnerability has been fixed by generating a new symmetric key, so that the attacker would not be able to find out if the failure was due to decrypting the key or the data. However, it is still possible for attackers to craft a message in order to find out where the decryption failure took place, again leaving WSS4J vulnerable to the original attack. In Apache WSS4J, this is fixed in http://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc, and this fix has been merged in to the WSS4J library used in WSO2 Carbon 4.2.0 products.

Jun 03, 2015
Business Activity Monitor WSO2-CARBON-PATCH-4.2.0-1825

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.2.0-1699

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.1.0-0326

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0665

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0667

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0666

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0664

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1154

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1261

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1262

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1095

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.1.0-0324

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.0.0-0661

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.2.0-1636

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.1.0-0322

WSO2 products based on Kernel Version 4.1.0 are vulnerable to XSS and CSRF attacks. XSS enables attackers to inject client-side script into web pages viewed by other users, while CSRF forces an end user to execute unwanted actions on a web application to which they are currently authenticated. This vulnerability allows attackers to bypass access controls, such as the same-origin policy and malicious exploitation of a website, where unauthorized commands are transmitted from a user that the website trusts.

Nov 11, 2015
WSO2-CARBON-PATCH-4.2.0-1464

WSO2 products based on Kernel Version 4.1.0 are vulnerable to XSS and CSRF attacks. XSS enables attackers to inject client-side script into web pages viewed by other users, while CSRF forces an end user to execute unwanted actions on a web application to which they are currently authenticated. This vulnerability allows attackers to bypass access controls, such as the same-origin policy and malicious exploitation of a website, where unauthorized commands are transmitted from a user that the website trusts.

Oct 11, 2015
Business Process Server WSO2-CARBON-PATCH-4.4.0-0537

When a user browses a pages where it contains some sensitive data, and logout from the management console, still users can go back (by using browser’s Back button) and view that page without login due to browser cache.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0463

According to http://www.securityfocus.com/bid/58536/info, H2 database versions prior to 1.3.171 are vulnurable to Remote Security Bypass Vulnerability.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0451

When a new username and password is entered in a form and the form is submitted, the browser asks if the password should be saved.Thereafter when the form is displayed, the username and password are filled in automatically or are completed as the username is entered.

Security Advisory Link

Oct 31, 2016
WSO2-CARBON-PATCH-4.4.0-0429

Testing the connection from the WSO2 server’s management console while adding a secondary JDBC user store initiates a HTTP GET request, including the connection credentials in URL query parameters. Thus, database connection credentials get exposed and also gets logged in HTTP access logs.

Security Advisory Link

Oct 31, 2016
WSO2-CARBON-PATCH-4.4.0-0352

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0239

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0234

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0225

Business Process Server applications (BPMN/Human Task explorer) do not renew session ID upon user login, resulting in possibility to perform Session Fixation attack.

May 30, 2016
WSO2-CARBON-PATCH-4.4.0-0215

Preventing a possible server shutdown through a Cross Site Request Forgery (CSRF) attack.

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0204

Fixing the Local File Inclusion (LFI) vulnerability in LogViewer Admin Service

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.2.0-1826

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.2.0-1825

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0177

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0179

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0044

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.4.0-0042

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.4.0-0043

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.3.0-0003

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1699

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0665

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0667

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0666

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0664

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1261

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.0.0-0661

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.4.0-0016

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.2.0-1636

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.2.0-1464

WSO2 products based on Kernel Version 4.1.0 are vulnerable to XSS and CSRF attacks. XSS enables attackers to inject client-side script into web pages viewed by other users, while CSRF forces an end user to execute unwanted actions on a web application to which they are currently authenticated. This vulnerability allows attackers to bypass access controls, such as the same-origin policy and malicious exploitation of a website, where unauthorized commands are transmitted from a user that the website trusts.

Oct 11, 2015
Business Rules Server WSO2-CARBON-PATCH-4.4.0-0546

An attacker with access to the WSO2 Management Console can input a malicious XXE script in the try-it tool UI menu or can directly attack with xml input and disclose any file located in the file system. The reflected and stored XSS vulnerabilities allow deployment of malicious code in the application by means of providing specifically crafted url to a user.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0533

When a user browses a pages where it contains some sensitive data, and logout from the management console, still users can go back (by using browser’s Back button) and view that page without login due to browser cache.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0514

Apache Axis2 1.6.2 uses commons-httpclient-3.1.0 and host name verification should be enabled in the commons-httpclient.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0463

According to http://www.securityfocus.com/bid/58536/info, H2 database versions prior to 1.3.171 are vulnurable to Remote Security Bypass Vulnerability.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0445

When a new username and password is entered in a form and the form is submitted, the browser asks if the password should be saved.Thereafter when the form is displayed, the username and password are filled in automatically or are completed as the username is entered.

Security Advisory Link

Oct 31, 2016
WSO2-CARBON-PATCH-4.4.0-0427

Testing the connection from the WSO2 server’s management console while adding a secondary JDBC user store initiates a HTTP GET request, including the connection credentials in URL query parameters. Thus, database connection credentials get exposed and also gets logged in HTTP access logs.

Security Advisory Link

Oct 31, 2016
WSO2-CARBON-PATCH-4.4.0-0386

XSS vulnerabilities were discovered in the Message Flows component. An attacker can possibly attack the management console, via that component, using reflected XSS. He can inject malicious scripts as a part of the URL which will be reflected in that component's pages.

Security Advisory Link

Sep 30, 2016
WSO2-CARBON-PATCH-4.4.0-0382

XSS vulnerabilities were discovered in the Message Flows component. An attacker can possibly attack the management console, via that component, using reflected XSS. He can inject malicious scripts as a part of the URL which will be reflected in that component's pages.

Security Advisory Link

Sep 30, 2016
WSO2-CARBON-PATCH-4.4.0-0329

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0240

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0235

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0214

Preventing a possible server shutdown through a Cross Site Request Forgery (CSRF) attack.

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0203

Fixing the Local File Inclusion (LFI) vulnerability in LogViewer Admin Service

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.2.0-1825

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0176

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
Carbon WSO2-CARBON-PATCH-4.4.0-0044

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.4.0-0042

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.4.0-0043

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.3.0-0003

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1699

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.1.0-0326

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0665

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0667

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0666

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0664

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1261

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.1.0-0322

WSO2 products based on Kernel Version 4.1.0 are vulnerable to XSS and CSRF attacks. XSS enables attackers to inject client-side script into web pages viewed by other users, while CSRF forces an end user to execute unwanted actions on a web application to which they are currently authenticated. This vulnerability allows attackers to bypass access controls, such as the same-origin policy and malicious exploitation of a website, where unauthorized commands are transmitted from a user that the website trusts.

Nov 11, 2015
WSO2-CARBON-PATCH-4.2.0-1464

WSO2 products based on Kernel Version 4.1.0 are vulnerable to XSS and CSRF attacks. XSS enables attackers to inject client-side script into web pages viewed by other users, while CSRF forces an end user to execute unwanted actions on a web application to which they are currently authenticated. This vulnerability allows attackers to bypass access controls, such as the same-origin policy and malicious exploitation of a website, where unauthorized commands are transmitted from a user that the website trusts.

Oct 11, 2015
Complex Event Processor WSO2-CARBON-PATCH-4.4.0-0538

When a user browses a pages where it contains some sensitive data, and logout from the management console, still users can go back (by using browser’s Back button) and view that page without login due to browser cache.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0329

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0241

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0235

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0214

Preventing a possible server shutdown through a Cross Site Request Forgery (CSRF) attack.

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0203

Fixing the Local File Inclusion (LFI) vulnerability in LogViewer Admin Service

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.2.0-1826

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.2.0-1825

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0177

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0176

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0044

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.4.0-0042

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.4.0-0043

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1699

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0665

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0667

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0666

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0664

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1154

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1261

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1262

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.4.0-0016

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.2.0-1636

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.0.0-0661

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.2.0-1464

WSO2 products based on Kernel Version 4.1.0 are vulnerable to XSS and CSRF attacks. XSS enables attackers to inject client-side script into web pages viewed by other users, while CSRF forces an end user to execute unwanted actions on a web application to which they are currently authenticated. This vulnerability allows attackers to bypass access controls, such as the same-origin policy and malicious exploitation of a website, where unauthorized commands are transmitted from a user that the website trusts.

Oct 11, 2015
WSO2-CARBON-PATCH-4.2.0-1095

In light of the prevailing vulnerability of Apache WSS4J to Bleichenbacher attacks, we have identified a vulnerability in WSO2 Carbon 4.2.0 products that use WS-Security features from the Apache WSS4J library. Of a number of attacks on PKCS#1 v1.5 Key Transport Algorithm - used to encrypt symmetric keys as part of WS-Security - one attack exploits the ability for WSS4J to leak information on where particular decryption operations fail. This vulnerability has been fixed by generating a new symmetric key, so that the attacker would not be able to find out if the failure was due to decrypting the key or the data. However, it is still possible for attackers to craft a message in order to find out where the decryption failure took place, again leaving WSS4J vulnerable to the original attack. In Apache WSS4J, this is fixed in http://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc, and this fix has been merged in to the WSS4J library used in WSO2 Carbon 4.2.0 products.

Jun 03, 2015
Dashboard Server WSO2-CARBON-PATCH-4.4.0-0555

Following pages in the management console were found to be vulnerable to open redirect attacks, in the products mentioned here.XACML Policy Administration Identity Provider Management Workflow Management User Management An attacker can possibly attack the above UI components, by modifying some query parameters that contain a URL value in management console context. They can modify the respective query parameter value such that the management console will redirect the request to the specified URL.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0546

An attacker with access to the WSO2 Management Console can input a malicious XXE script in the try-it tool UI menu or can directly attack with xml input and disclose any file located in the file system. The reflected and stored XSS vulnerabilities allow deployment of malicious code in the application by means of providing specifically crafted url to a user.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0533

When a user browses a pages where it contains some sensitive data, and logout from the management console, still users can go back (by using browser’s Back button) and view that page without login due to browser cache.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0514

Apache Axis2 1.6.2 uses commons-httpclient-3.1.0 and host name verification should be enabled in the commons-httpclient.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0463

According to http://www.securityfocus.com/bid/58536/info, H2 database versions prior to 1.3.171 are vulnurable to Remote Security Bypass Vulnerability.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0445

When a new username and password is entered in a form and the form is submitted, the browser asks if the password should be saved.Thereafter when the form is displayed, the username and password are filled in automatically or are completed as the username is entered.

Security Advisory Link

Oct 31, 2016
WSO2-CARBON-PATCH-4.4.0-0427

Testing the connection from the WSO2 server’s management console while adding a secondary JDBC user store initiates a HTTP GET request, including the connection credentials in URL query parameters. Thus, database connection credentials get exposed and also gets logged in HTTP access logs.

Security Advisory Link

Oct 31, 2016
WSO2-CARBON-PATCH-4.4.0-0421

Login page hosted in the WSO2 server's "authentication end point" web application is vulnerable to reflected XSS attacks, which enables attackers to inject client side scripts into that page. The respective page used a weak output encoding mechanism which was not sufficient to escape malicious user inputs properly.

Security Advisory Link

Sep 30, 2016
WSO2-CARBON-PATCH-4.4.0-0384

The Apache Commons Collections library contains various classes in the "functor" package which are serializable and use reflection. This can be exploited for remote code execution attacks by injecting specially crafted objects to applications that de-serialize java objects from untrusted sources.

Security Advisory Link

Oct 31, 2016
WSO2-CARBON-PATCH-4.4.0-0355

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0340

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0331

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0329

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0243

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0235

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0214

Preventing a possible server shutdown through a Cross Site Request Forgery (CSRF) attack.

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0203

Fixing the Local File Inclusion (LFI) vulnerability in LogViewer Admin Service

Security Advisory Link

Aug 12, 2016
Data Analytics Server WSO2-CARBON-PATCH-4.4.0-0538

When a user browses a pages where it contains some sensitive data, and logout from the management console, still users can go back (by using browser’s Back button) and view that page without login due to browser cache.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0452

When a new username and password is entered in a form and the form is submitted, the browser asks if the password should be saved.Thereafter when the form is displayed, the username and password are filled in automatically or are completed as the username is entered.

Security Advisory Link

Oct 31, 2016
WSO2-CARBON-PATCH-4.4.0-0348

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0329

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0240

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0235

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0214

Preventing a possible server shutdown through a Cross Site Request Forgery (CSRF) attack.

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0203

Fixing the Local File Inclusion (LFI) vulnerability in LogViewer Admin Service

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0176

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0044

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.4.0-0042

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.4.0-0016

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
Data Services Server Update via WSO2 Update Manager

When a user browses a page where it contains some sensitive data and logout from the management console, still users can go back (by using browser’s Back button) and view that page without login due to browser cache.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0538

When a user browses a pages where it contains some sensitive data, and logout from the management console, still users can go back (by using browser’s Back button) and view that page without login due to browser cache.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0385

XSS vulnerabilities were discovered in the Message Flows component. An attacker can possibly attack the management console, via that component, using reflected XSS. He can inject malicious scripts as a part of the URL which will be reflected in that component's pages.

Security Advisory Link

Sep 30, 2016
WSO2-CARBON-PATCH-4.4.0-0382

XSS vulnerabilities were discovered in the Message Flows component. An attacker can possibly attack the management console, via that component, using reflected XSS. He can inject malicious scripts as a part of the URL which will be reflected in that component's pages.

Security Advisory Link

Sep 30, 2016
WSO2-CARBON-PATCH-4.4.0-0353

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0241

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0236

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0213

Preventing a possible server shutdown through a Cross Site Request Forgery (CSRF) attack.

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0203

Fixing the Local File Inclusion (LFI) vulnerability in LogViewer Admin Service

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.2.0-1826

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.2.0-1825

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0176

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0044

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.4.0-0042

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.4.0-0043

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1699

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0665

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0667

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0666

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0664

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1261

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.4.0-0016

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.2.0-1636

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.2.0-1464

WSO2 products based on Kernel Version 4.1.0 are vulnerable to XSS and CSRF attacks. XSS enables attackers to inject client-side script into web pages viewed by other users, while CSRF forces an end user to execute unwanted actions on a web application to which they are currently authenticated. This vulnerability allows attackers to bypass access controls, such as the same-origin policy and malicious exploitation of a website, where unauthorized commands are transmitted from a user that the website trusts.

Oct 11, 2015
WSO2-CARBON-PATCH-4.2.0-1095

In light of the prevailing vulnerability of Apache WSS4J to Bleichenbacher attacks, we have identified a vulnerability in WSO2 Carbon 4.2.0 products that use WS-Security features from the Apache WSS4J library. Of a number of attacks on PKCS#1 v1.5 Key Transport Algorithm - used to encrypt symmetric keys as part of WS-Security - one attack exploits the ability for WSS4J to leak information on where particular decryption operations fail. This vulnerability has been fixed by generating a new symmetric key, so that the attacker would not be able to find out if the failure was due to decrypting the key or the data. However, it is still possible for attackers to craft a message in order to find out where the decryption failure took place, again leaving WSS4J vulnerable to the original attack. In Apache WSS4J, this is fixed in http://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc, and this fix has been merged in to the WSS4J library used in WSO2 Carbon 4.2.0 products.

Jun 03, 2015
WSO2-CARBON-PATCH-4.0.0-0661

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
Elastic Load Balancer WSO2-CARBON-PATCH-4.2.0-1826

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.2.0-1825

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.2.0-1699

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0665

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0667

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0666

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0664

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1261

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1636

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.0.0-0661

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.2.0-1095

In light of the prevailing vulnerability of Apache WSS4J to Bleichenbacher attacks, we have identified a vulnerability in WSO2 Carbon 4.2.0 products that use WS-Security features from the Apache WSS4J library. Of a number of attacks on PKCS#1 v1.5 Key Transport Algorithm - used to encrypt symmetric keys as part of WS-Security - one attack exploits the ability for WSS4J to leak information on where particular decryption operations fail. This vulnerability has been fixed by generating a new symmetric key, so that the attacker would not be able to find out if the failure was due to decrypting the key or the data. However, it is still possible for attackers to craft a message in order to find out where the decryption failure took place, again leaving WSS4J vulnerable to the original attack. In Apache WSS4J, this is fixed in http://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc, and this fix has been merged in to the WSS4J library used in WSO2 Carbon 4.2.0 products.

Jun 03, 2015
Enterprise Mobility Manager WSO2-CARBON-PATCH-4.4.0-0546

An attacker with access to the WSO2 Management Console can input a malicious XXE script in the try-it tool UI menu or can directly attack with xml input and disclose any file located in the file system. The reflected and stored XSS vulnerabilities allow deployment of malicious code in the application by means of providing specifically crafted url to a user.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0533

When a user browses a pages where it contains some sensitive data, and logout from the management console, still users can go back (by using browser’s Back button) and view that page without login due to browser cache.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0514

Apache Axis2 1.6.2 uses commons-httpclient-3.1.0 and host name verification should be enabled in the commons-httpclient.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0463

According to http://www.securityfocus.com/bid/58536/info, H2 database versions prior to 1.3.171 are vulnurable to Remote Security Bypass Vulnerability.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0445

When a new username and password is entered in a form and the form is submitted, the browser asks if the password should be saved.Thereafter when the form is displayed, the username and password are filled in automatically or are completed as the username is entered.

Security Advisory Link

Oct 31, 2016
WSO2-CARBON-PATCH-4.4.0-0427

Testing the connection from the WSO2 server’s management console while adding a secondary JDBC user store initiates a HTTP GET request, including the connection credentials in URL query parameters. Thus, database connection credentials get exposed and also gets logged in HTTP access logs.

Security Advisory Link

Oct 31, 2016
WSO2-CARBON-PATCH-4.4.0-0421

Login page hosted in the WSO2 server's "authentication end point" web application is vulnerable to reflected XSS attacks, which enables attackers to inject client side scripts into that page. The respective page used a weak output encoding mechanism which was not sufficient to escape malicious user inputs properly.

Security Advisory Link

Sep 30, 2016
WSO2-CARBON-PATCH-4.4.0-0384

The Apache Commons Collections library contains various classes in the "functor" package which are serializable and use reflection. This can be exploited for remote code execution attacks by injecting specially crafted objects to applications that de-serialize java objects from untrusted sources.

Security Advisory Link

Oct 31, 2016
WSO2-CARBON-PATCH-4.4.0-0358

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0355

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0331

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0329

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0240

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0235

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0214

Preventing a possible server shutdown through a Cross Site Request Forgery (CSRF) attack.

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0203

Fixing the Local File Inclusion (LFI) vulnerability in LogViewer Admin Service

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.2.0-1825

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0176

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0044

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.4.0-0042

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.4.0-0043

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1699

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1261

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1262

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1636 The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here Nov 25, 2015
WSO2-CARBON-PATCH-4.2.0-1464

WSO2 products based on Kernel Version 4.1.0 are vulnerable to XSS and CSRF attacks. XSS enables attackers to inject client-side script into web pages viewed by other users, while CSRF forces an end user to execute unwanted actions on a web application to which they are currently authenticated. This vulnerability allows attackers to bypass access controls, such as the same-origin policy and malicious exploitation of a website, where unauthorized commands are transmitted from a user that the website trusts.

Oct 11, 2015
WSO2-CARBON-PATCH-4.2.0-1095

In light of the prevailing vulnerability of Apache WSS4J to Bleichenbacher attacks, we have identified a vulnerability in WSO2 Carbon 4.2.0 products that use WS-Security features from the Apache WSS4J library. Of a number of attacks on PKCS#1 v1.5 Key Transport Algorithm - used to encrypt symmetric keys as part of WS-Security - one attack exploits the ability for WSS4J to leak information on where particular decryption operations fail. This vulnerability has been fixed by generating a new symmetric key, so that the attacker would not be able to find out if the failure was due to decrypting the key or the data. However, it is still possible for attackers to craft a message in order to find out where the decryption failure took place, again leaving WSS4J vulnerable to the original attack. In Apache WSS4J, this is fixed in http://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc, and this fix has been merged in to the WSS4J library used in WSO2 Carbon 4.2.0 products.

Jun 03, 2015
Enterprise Service Bus Update via WSO2 Update Manager

When a user browses a page where it contains some sensitive data and logout from the management console, still users can go back (by using browser’s Back button) and view that page without login due to browser cache.

Security Advisory Link

Nov 08, 2016
Update via WSO2 Update Manager

According to http://www.securityfocus.com/bid/58536/info, H2 database versions prior to 1.3.171 are vulnerable to Remote Security Bypass Vulnerability.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0237

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0218

Preventing a possible server shutdown through a Cross Site Request Forgery (CSRF) attack.

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.2.0-1826

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0177

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0042

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.4.0-0043

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1699

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1261

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.4.0-0016

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.2.0-1636

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.2.0-1464

WSO2 products based on Kernel Version 4.1.0 are vulnerable to XSS and CSRF attacks. XSS enables attackers to inject client-side script into web pages viewed by other users, while CSRF forces an end user to execute unwanted actions on a web application to which they are currently authenticated. This vulnerability allows attackers to bypass access controls, such as the same-origin policy and malicious exploitation of a website, where unauthorized commands are transmitted from a user that the website trusts.

Oct 11, 2015
WSO2-CARBON-PATCH-4.2.0-1095

In light of the prevailing vulnerability of Apache WSS4J to Bleichenbacher attacks, we have identified a vulnerability in WSO2 Carbon 4.2.0 products that use WS-Security features from the Apache WSS4J library. Of a number of attacks on PKCS#1 v1.5 Key Transport Algorithm - used to encrypt symmetric keys as part of WS-Security - one attack exploits the ability for WSS4J to leak information on where particular decryption operations fail. This vulnerability has been fixed by generating a new symmetric key, so that the attacker would not be able to find out if the failure was due to decrypting the key or the data. However, it is still possible for attackers to craft a message in order to find out where the decryption failure took place, again leaving WSS4J vulnerable to the original attack. In Apache WSS4J, this is fixed in http://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc, and this fix has been merged in to the WSS4J library used in WSO2 Carbon 4.2.0 products.

Jun 03, 2015
Enterprise Store WSO2-CARBON-PATCH-4.4.0-0556

Following pages in the management console were found to be vulnerable to open redirect attacks, in the products mentioned here.XACML Policy Administration Identity Provider Management Workflow Management User Management An attacker can possibly attack the above UI components, by modifying some query parameters that contain a URL value in management console context. They can modify the respective query parameter value such that the management console will redirect the request to the specified URL.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0543

An attacker with access to the WSO2 Management Console can input a malicious XXE script in the try-it tool UI menu or can directly attack with xml input and disclose any file located in the file system. The reflected and stored XSS vulnerabilities allow deployment of malicious code in the application by means of providing specifically crafted url to a user.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0536

When a user browses a pages where it contains some sensitive data, and logout from the management console, still users can go back (by using browser’s Back button) and view that page without login due to browser cache.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0463

According to http://www.securityfocus.com/bid/58536/info, H2 database versions prior to 1.3.171 are vulnurable to Remote Security Bypass Vulnerability.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0448

When a new username and password is entered in a form and the form is submitted, the browser asks if the password should be saved.Thereafter when the form is displayed, the username and password are filled in automatically or are completed as the username is entered.

Security Advisory Link

Oct 31, 2016
WSO2-CARBON-PATCH-4.4.0-0429

Testing the connection from the WSO2 server’s management console while adding a secondary JDBC user store initiates a HTTP GET request, including the connection credentials in URL query parameters. Thus, database connection credentials get exposed and also gets logged in HTTP access logs.

Security Advisory Link

Oct 31, 2016
WSO2-CARBON-PATCH-4.4.0-0353

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0333

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0243

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WWSO2-CARBON-PATCH-4.4.0-0237

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0218

Preventing a possible server shutdown through a Cross Site Request Forgery (CSRF) attack.

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0202

Fixing the Local File Inclusion (LFI) vulnerability in LogViewer Admin Service

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0201

Fixing the Local File Inclusion (LFI) vulnerability in LogViewer Admin Service

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0178

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0044

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.4.0-0042

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.4.0-0043

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1699

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1154

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1261

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.4.0-0016

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.2.0-1636

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.2.0-1095

In light of the prevailing vulnerability of Apache WSS4J to Bleichenbacher attacks, we have identified a vulnerability in WSO2 Carbon 4.2.0 products that use WS-Security features from the Apache WSS4J library. Of a number of attacks on PKCS#1 v1.5 Key Transport Algorithm - used to encrypt symmetric keys as part of WS-Security - one attack exploits the ability for WSS4J to leak information on where particular decryption operations fail. This vulnerability has been fixed by generating a new symmetric key, so that the attacker would not be able to find out if the failure was due to decrypting the key or the data. However, it is still possible for attackers to craft a message in order to find out where the decryption failure took place, again leaving WSS4J vulnerable to the original attack. In Apache WSS4J, this is fixed in http://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc, and this fix has been merged in to the WSS4J library used in WSO2 Carbon 4.2.0 products.

Jun 03, 2015
Governance Registry WSO2-CARBON-PATCH-4.4.0-0543

An attacker with access to the WSO2 Management Console can input a malicious XXE script in the try-it tool UI menu or can directly attack with xml input and disclose any file located in the file system. The reflected and stored XSS vulnerabilities allow deployment of malicious code in the application by means of providing specifically crafted url to a user.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0536

When a user browses a pages where it contains some sensitive data, and logout from the management console, still users can go back (by using browser’s Back button) and view that page without login due to browser cache.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0463

According to http://www.securityfocus.com/bid/58536/info, H2 database versions prior to 1.3.171 are vulnurable to Remote Security Bypass Vulnerability.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0448

When a new username and password is entered in a form and the form is submitted, the browser asks if the password should be saved.Thereafter when the form is displayed, the username and password are filled in automatically or are completed as the username is entered.

Security Advisory Link

Oct 31, 2016
WSO2-CARBON-PATCH-4.4.0-0429

Testing the connection from the WSO2 server’s management console while adding a secondary JDBC user store initiates a HTTP GET request, including the connection credentials in URL query parameters. Thus, database connection credentials get exposed and also gets logged in HTTP access logs.

Security Advisory Link

Oct 31, 2016
WSO2-CARBON-PATCH-4.4.0-0384

The Apache Commons Collections library contains various classes in the "functor" package which are serializable and use reflection. This can be exploited for remote code execution attacks by injecting specially crafted objects to applications that de-serialize java objects from untrusted sources.

Security Advisory Link

Oct 31, 2016
WSO2-CARBON-PATCH-4.4.0-0239

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0233

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0204

Fixing the Local File Inclusion (LFI) vulnerability in LogViewer Admin Service

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.2.0-1826

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0178

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0177

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0176

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0179

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0044

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.4.0-0043

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1699

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0665

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0667

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0666

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0664

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1154

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1261

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.4.0-0016

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.2.0-1636

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.0.0-0661

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.2.0-1464

WSO2 products based on Kernel Version 4.1.0 are vulnerable to XSS and CSRF attacks. XSS enables attackers to inject client-side script into web pages viewed by other users, while CSRF forces an end user to execute unwanted actions on a web application to which they are currently authenticated. This vulnerability allows attackers to bypass access controls, such as the same-origin policy and malicious exploitation of a website, where unauthorized commands are transmitted from a user that the website trusts.

Oct 11, 2015
WSO2-CARBON-PATCH-4.2.0-1095

In light of the prevailing vulnerability of Apache WSS4J to Bleichenbacher attacks, we have identified a vulnerability in WSO2 Carbon 4.2.0 products that use WS-Security features from the Apache WSS4J library. Of a number of attacks on PKCS#1 v1.5 Key Transport Algorithm - used to encrypt symmetric keys as part of WS-Security - one attack exploits the ability for WSS4J to leak information on where particular decryption operations fail. This vulnerability has been fixed by generating a new symmetric key, so that the attacker would not be able to find out if the failure was due to decrypting the key or the data. However, it is still possible for attackers to craft a message in order to find out where the decryption failure took place, again leaving WSS4J vulnerable to the original attack. In Apache WSS4J, this is fixed in http://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc, and this fix has been merged in to the WSS4J library used in WSO2 Carbon 4.2.0 products.

Jun 03, 2015
Identity Server Update via WSO2 Update Manager

When a user browses a page where it contains some sensitive data and logout from the management console, still users can go back (by using browser’s Back button) and view that page without login due to browser cache.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0355

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0331

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0329

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0247

Preventing a possible session fixation vulnerability in SAML SSO authentication flow in Carbon Authenticator

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0241

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0235

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0231

Fixing XML External Entity (XXE) vulnerability in the XACML flow.

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0214

Preventing a possible server shutdown through a Cross Site Request Forgery (CSRF) attack.

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0203

Fixing the Local File Inclusion (LFI) vulnerability in LogViewer Admin Service

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.2.0-1826

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.2.0-1825

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0176

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0092

Identity Server uses a cookie called commonAuthId cookie to maintain the SSO session data of the current session. The feature of persisting session data would enable this session data to be persisted in the Identity Server. When persisting happens, the persisted session should be correctly updated to the “DELETE" operation state upon logout. When login request is sent Identity Server will look for a latest active session and will use that if the latest session is an active one. The persisted session is not properly removed after logout. So the previous session can be used to login to the application without providing credentials.

March 09, 2016
WSO2-CARBON-PATCH-4.4.0-0079

WSO2 Identity Server's Passive STS feature contains a Session Hijacking vulnerability because HTTP request parameter named "SessionDataKey" which used to maintain request state is not invalidated from the cache once it is used.

Feb 22, 2016
WSO2-CARBON-PATCH-4.4.0-0073

When the Tenant List Dropdown feature is enabled in WSO2 Identity Server, there is a possibility to modify the displayed list of tenants in the login page of authentication endpoint webapp by an external party.

Feb 17, 2016
WSO2-CARBON-PATCH-4.4.0-0047

WSO2 Identity Server Dashboard exposes a session cookie value, and relevant backend session is not invalidated properly upon logout. Furthermore, Dashboard allows its users to access the pages over HTTP, rather than enforcing HTTPS, which could result in sensitive information leakage.

Jan 26, 2016
WSO2-CARBON-PATCH-4.4.0-0044

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1699

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0665

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0667

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0666

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0664

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1193

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1235

WSO2 Identity Server versions 4.5.0 / 4.6.0 / 5.0.0 are vulnerable to an elevation of privilege attack. This vulnerability allows attackers to:Reset the password of another user in the system by executing certain operations in the UserIdentityManagementAdminService service. This can result in a user having only ‘login' permission gaining privileged access to the system. The attack is only possible if the attacker has a valid WSO2 Identity Server account.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1261

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1262

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1268

WSO2 Identity Server versions 4.5.0 / 4.6.0 / 5.0.0 are vulnerable to an elevation of privilege attack. This vulnerability allows attackers to:Reset the password of another user in the system by executing certain operations in the UserIdentityManagementAdminService service. This can result in a user having only ‘login' permission gaining privileged access to the system. The attack is only possible if the attacker has a valid WSO2 Identity Server account.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1270

WSO2 Identity Server versions 4.5.0 / 4.6.0 / 5.0.0 are vulnerable to an elevation of privilege attack. This vulnerability allows attackers to:Reset the password of another user in the system by executing certain operations in the UserIdentityManagementAdminService service. This can result in a user having only ‘login' permission gaining privileged access to the system. The attack is only possible if the attacker has a valid WSO2 Identity Server account.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1636

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.0.0-0661

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.2.0-1464

WSO2 products based on Kernel Version 4.1.0 are vulnerable to XSS and CSRF attacks. XSS enables attackers to inject client-side script into web pages viewed by other users, while CSRF forces an end user to execute unwanted actions on a web application to which they are currently authenticated. This vulnerability allows attackers to bypass access controls, such as the same-origin policy and malicious exploitation of a website, where unauthorized commands are transmitted from a user that the website trusts.

Oct 11, 2015
WSO2-CARBON-PATCH-4.2.0-1095

In light of the prevailing vulnerability of Apache WSS4J to Bleichenbacher attacks, we have identified a vulnerability in WSO2 Carbon 4.2.0 products that use WS-Security features from the Apache WSS4J library. Of a number of attacks on PKCS#1 v1.5 Key Transport Algorithm - used to encrypt symmetric keys as part of WS-Security - one attack exploits the ability for WSS4J to leak information on where particular decryption operations fail. This vulnerability has been fixed by generating a new symmetric key, so that the attacker would not be able to find out if the failure was due to decrypting the key or the data. However, it is still possible for attackers to craft a message in order to find out where the decryption failure took place, again leaving WSS4J vulnerable to the original attack. In Apache WSS4J, this is fixed in http://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc, and this fix has been merged in to the WSS4J library used in WSO2 Carbon 4.2.0 products.

Jun 03, 2015
WSO2-CARBON-PATCH-4.2.0-1194

XML External Entity (XXE) attackThe XXE attack is targeted at the federated SAML2 SSO authentication flow, which can be carried out by modifying the SAMLRequest or SAMLResponse parameters. This attack may lead to: Disclosure of confidential data, denial of service, port scanning from the machine where the parser is located, and other system impacts.

May 13, 2015
WSO2-CARBON-PATCH-4.2.0-1256

The XSS attack enables attackers to inject client-side scripts into web pages viewed by other users. This attack may lead to : Attackers bypassing access controls such as the same-origin policy. The CSRF attack forces an end user to execute unwanted actions on a web application, in which they're currently authenticated. This attack may lead to : Malicious exploitation of a website, where unauthorized commands are transmitted from a user that the website trusts.

May 13, 2015
Machine Learner WSO2-CARBON-PATCH-4.4.0-0538

When a user browses a pages where it contains some sensitive data, and logout from the management console, still users can go back (by using browser’s Back button) and view that page without login due to browser cache.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0452

When a new username and password is entered in a form and the form is submitted, the browser asks if the password should be saved.Thereafter when the form is displayed, the username and password are filled in automatically or are completed as the username is entered.

Security Advisory Link

Oct 31, 2016
WSO2-CARBON-PATCH-4.4.0-0353

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0243

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0235

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0214

Preventing a possible server shutdown through a Cross Site Request Forgery (CSRF) attack.

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0202

Fixing the Local File Inclusion (LFI) vulnerability in LogViewer Admin Service

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0177

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0044

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.4.0-0042

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.4.0-0043

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
Message Broker WSO2-CARBON-PATCH-4.4.0-0556

Following pages in the management console were found to be vulnerable to open redirect attacks, in the products mentioned here.XACML Policy Administration Identity Provider Management Workflow Management User Management An attacker can possibly attack the above UI components, by modifying some query parameters that contain a URL value in management console context. They can modify the respective query parameter value such that the management console will redirect the request to the specified URL.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0546

An attacker with access to the WSO2 Management Console can input a malicious XXE script in the try-it tool UI menu or can directly attack with xml input and disclose any file located in the file system. The reflected and stored XSS vulnerabilities allow deployment of malicious code in the application by means of providing specifically crafted url to a user.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0533

When a user browses a pages where it contains some sensitive data, and logout from the management console, still users can go back (by using browser’s Back button) and view that page without login due to browser cache.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0514

Apache Axis2 1.6.2 uses commons-httpclient-3.1.0 and host name verification should be enabled in the commons-httpclient.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0463

According to http://www.securityfocus.com/bid/58536/info, H2 database versions prior to 1.3.171 are vulnurable to Remote Security Bypass Vulnerability.

Security Advisory Link

Nov 08, 2016
WSO2-CARBON-PATCH-4.4.0-0445

When a new username and password is entered in a form and the form is submitted, the browser asks if the password should be saved.Thereafter when the form is displayed, the username and password are filled in automatically or are completed as the username is entered.

Security Advisory Link

Oct 31, 2016
WSO2-CARBON-PATCH-4.4.0-0431

Testing the connection from the WSO2 server’s management console while adding a secondary JDBC user store initiates a HTTP GET request, including the connection credentials in URL query parameters. Thus, database connection credentials get exposed and also gets logged in HTTP access logs.

Security Advisory Link

Oct 31, 2016
WSO2-CARBON-PATCH-4.4.0-0386

XSS vulnerabilities were discovered in the Message Flows component. An attacker can possibly attack the management console, via that component, using reflected XSS. He can inject malicious scripts as a part of the URL which will be reflected in that component's pages.

Security Advisory Link

Sep 30, 2016
WSO2-CARBON-PATCH-4.4.0-0382

XSS vulnerabilities were discovered in the Message Flows component. An attacker can possibly attack the management console, via that component, using reflected XSS. He can inject malicious scripts as a part of the URL which will be reflected in that component's pages.

Security Advisory Link

Sep 30, 2016
WSO2-CARBON-PATCH-4.4.0-0370

Carbon Metrics component of WSO2 Products are discovered to be vulnerable to XSS attacks, an attacker can possibly attack the management console, via that component, using reflected XSS. He can inject malicious scripts as a part of the URL which will be reflected in that component's pages.

Security Advisory Link

Sep 30, 2016
WSO2-CARBON-PATCH-4.4.0-0353

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link

Aug 31, 2016
WSO2-CARBON-PATCH-4.4.0-0235

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0214

Preventing a possible server shutdown through a Cross Site Request Forgery (CSRF) attack.

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.4.0-0203

Fixing the Local File Inclusion (LFI) vulnerability in LogViewer Admin Service

Security Advisory Link

Aug 12, 2016
WSO2-CARBON-PATCH-4.2.0-1825

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0176

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.4.0-0044

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.4.0-0042

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.4.0-0043

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1699

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.1.0-0326

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0665

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0667

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0666

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.0.0-0664

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1261

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.4.0-0016

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.2.0-1636

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.1.0-0324

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.0.0-0661

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.2.0-1464

WSO2 products based on Kernel Version 4.1.0 are vulnerable to XSS and CSRF attacks. XSS enables attackers to inject client-side script into web pages viewed by other users, while CSRF forces an end user to execute unwanted actions on a web application to which they are currently authenticated. This vulnerability allows attackers to bypass access controls, such as the same-origin policy and malicious exploitation of a website, where unauthorized commands are transmitted from a user that the website trusts.

Oct 11, 2015
WSO2-CARBON-PATCH-4.2.0-1095

In light of the prevailing vulnerability of Apache WSS4J to Bleichenbacher attacks, we have identified a vulnerability in WSO2 Carbon 4.2.0 products that use WS-Security features from the Apache WSS4J library. Of a number of attacks on PKCS#1 v1.5 Key Transport Algorithm - used to encrypt symmetric keys as part of WS-Security - one attack exploits the ability for WSS4J to leak information on where particular decryption operations fail. This vulnerability has been fixed by generating a new symmetric key, so that the attacker would not be able to find out if the failure was due to decrypting the key or the data. However, it is still possible for attackers to craft a message in order to find out where the decryption failure took place, again leaving WSS4J vulnerable to the original attack. In Apache WSS4J, this is fixed in http://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc, and this fix has been merged in to the WSS4J library used in WSO2 Carbon 4.2.0 products.

Jun 03, 2015
Private Paas WSO2-CARBON-PATCH-4.2.0-1825

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.2.0-1699

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1464

WSO2 products based on Kernel Version 4.1.0 are vulnerable to XSS and CSRF attacks. XSS enables attackers to inject client-side script into web pages viewed by other users, while CSRF forces an end user to execute unwanted actions on a web application to which they are currently authenticated. This vulnerability allows attackers to bypass access controls, such as the same-origin policy and malicious exploitation of a website, where unauthorized commands are transmitted from a user that the website trusts.

Oct 11, 2015
Storage Server WSO2-CARBON-PATCH-4.2.0-1825

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.3.0-0004

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.3.0-0003

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1699

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.1.0-0326

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1261

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.3.0-0001

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.2.0-1636

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.1.0-0324

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.1.0-0322

WSO2 products based on Kernel Version 4.1.0 are vulnerable to XSS and CSRF attacks. XSS enables attackers to inject client-side script into web pages viewed by other users, while CSRF forces an end user to execute unwanted actions on a web application to which they are currently authenticated. This vulnerability allows attackers to bypass access controls, such as the same-origin policy and malicious exploitation of a website, where unauthorized commands are transmitted from a user that the website trusts.

Nov 11, 2015
WSO2-CARBON-PATCH-4.2.0-1464

WSO2 products based on Kernel Version 4.1.0 are vulnerable to XSS and CSRF attacks. XSS enables attackers to inject client-side script into web pages viewed by other users, while CSRF forces an end user to execute unwanted actions on a web application to which they are currently authenticated. This vulnerability allows attackers to bypass access controls, such as the same-origin policy and malicious exploitation of a website, where unauthorized commands are transmitted from a user that the website trusts.

Oct 11, 2015
WSO2-CARBON-PATCH-4.2.0-1095

In light of the prevailing vulnerability of Apache WSS4J to Bleichenbacher attacks, we have identified a vulnerability in WSO2 Carbon 4.2.0 products that use WS-Security features from the Apache WSS4J library. Of a number of attacks on PKCS#1 v1.5 Key Transport Algorithm - used to encrypt symmetric keys as part of WS-Security - one attack exploits the ability for WSS4J to leak information on where particular decryption operations fail. This vulnerability has been fixed by generating a new symmetric key, so that the attacker would not be able to find out if the failure was due to decrypting the key or the data. However, it is still possible for attackers to craft a message in order to find out where the decryption failure took place, again leaving WSS4J vulnerable to the original attack. In Apache WSS4J, this is fixed in http://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc, and this fix has been merged in to the WSS4J library used in WSO2 Carbon 4.2.0 products.

Jun 03, 2015
Task Server WSO2-CARBON-PATCH-4.2.0-1825

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.

May 09, 2016
WSO2-CARBON-PATCH-4.2.0-1699

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.

Jan 15, 2016
WSO2-CARBON-PATCH-4.2.0-1261

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.

Dec 11, 2015
WSO2-CARBON-PATCH-4.2.0-1636

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here

Nov 25, 2015
WSO2-CARBON-PATCH-4.2.0-1095

In light of the prevailing vulnerability of Apache WSS4J to Bleichenbacher attacks, we have identified a vulnerability in WSO2 Carbon 4.2.0 products that use WS-Security features from the Apache WSS4J library. Of a number of attacks on PKCS#1 v1.5 Key Transport Algorithm - used to encrypt symmetric keys as part of WS-Security - one attack exploits the ability for WSS4J to leak information on where particular decryption operations fail. This vulnerability has been fixed by generating a new symmetric key, so that the attacker would not be able to find out if the failure was due to decrypting the key or the data. However, it is still possible for attackers to craft a message in order to find out where the decryption failure took place, again leaving WSS4J vulnerable to the original attack. In Apache WSS4J, this is fixed in http://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc, and this fix has been merged in to the WSS4J library used in WSO2 Carbon 4.2.0 products.

Jun 03, 2015