Security Fix: WSO2 Carbon 2.0.x (January 12, 2010)
- Senaka Fernando
- Director Solutions Architecture - WSO2
Table of Contents
1. Introduction
Please Note that this issue does not apply to products based on versions prior to version 2.0.0 of the WSO2 Carbon platform
2. Cause
3. Resolution
- Important: Please upgrade to WSO2 Carbon version 2.0.2, before you apply this patch.
- Refer to the README.txt file (inside wso2carbon-security-fix-2.0.2.zip) explaining installation instructions.
This patch, adds a new user guest, who belongs to role guests. The REST-ful API will utilize an instance of the registry belonging to the user guest. This user does not inherit any read permissions specified, and therefore is unable to browse/access resources.
Please note that you do not need to cleanCache. Using cleanCache will remove previously installed P2 features.
WSO2 Carbon 2.0.0 based products → upgrade to WSO2 Carbon 2.0.2 and then apply this patch
WSO2 Web Services Application Server 3.1.0 → WSO2 Web Services Application Server 3.1.2 and then apply this patch
WSO2 Enterprise Service Bus 2.1.0 → WSO2 Enterprise Service Bus 2.1.2 and then apply this patch
WSO2 Governance Registry 3.0.0 → WSO2 Governance Registry 3.0.2 and then apply this patch
WSO2 Identity Server 2.0.0 → WSO2 Identity Server 2.0.2 and then apply this patch
WSO2 Carbon 2.0.1 → upgrade to Carbon 2.0.2 and then apply this patch
WSO2 Web Services Application Server 3.1.1 → WSO2 Web Services Application Server 3.1.2 and then apply this patch
WSO2 Enterprise Service Bus 2.1.1 → WSO2 Enterprise Service Bus 2.1.2 and then apply this patch
WSO2 Governance Registry 3.0.1 → WSO2 Governance Registry 3.0.2 and then apply this patch
WSO2 Identity Server 2.0.1 → WSO2 Identity Server 2.0.2 and then apply this patch
WSO2 Mashup Server 2.0.0 → WSO2 Mashup Server 2.0.1 and then apply this patch
WSO2 Carbon 2.0.2 → Apply this patch
WSO2 Web Services Application Server 3.1.2 → Apply this patch
WSO2 Enterprise Service Bus 2.1.2 → Apply this patch
WSO2 Governance Registry 3.0.2 → Apply this patch
WSO2 Identity Server 2.0.2 → Apply this patch
WSO2 Mashup Server 2.0.1 → Apply this patch
WSO2 Business Process Server 1.1.0 → Apply this patch
WSO2 Data Services Server 2.2.0 → Apply this patch
4. Known Limitations
1. If there is an internal user called guest, this patch will not solve this security issue.
Remove the guest user before applying the patch. Instructions to search for users by user name can be found at https://wso2.org/project/registry/3.0.2/docs/user/docs/userguide.html. Please note that this will remove all the current permissions granted to this user.
Once the patch has been applied, a user by the name guest will be created automatically. All previously assigned permissions will have to be added manually.
2. The older Atom-based Remote Registry model does not work with this patch
Switch to the new JDBC-based Remote Registry model.
guest user takes precedence over the guest user in an external user store.
Remove the existing guests role. Please note that this will remove all the current permissions granted to this role. Once the patch has been applied, a role by the name guests will be created automatically. All previously assigned permissions will have to be added manually.
Note that due to a limitation in the current implementation you cannot rename a role. Hence, the aforementioned instructions.
5. This Fix Applies To
WSO2 Enterprise Service Bus 2.1.0
WSO2 Governance Registry 3.0.0
WSO2 Identity Server 2.0.0
WSO2 Enterprise Service Bus 2.1.1
WSO2 Governance Registry 3.0.1
WSO2 Identity Server 2.0.1
WSO2 Mashup Server 2.0.0
WSO2 Enterprise Service Bus 2.1.2
WSO2 Governance Registry 3.0.2
WSO2 Identity Server 2.0.2
WSO2 Mashup Server 2.0.1
WSO2 Business Process Server 1.1.0
WSO2 Data Services Server 2.2.0
Author
Senaka Fernando, Software Engineer, WSO2 Inc., senaka at wso2 dot com