Security Fix: WSO2 Carbon 2.0.x (January 12, 2010)

Archived Content
This article is provided for historical perspective only, and may not reflect current conditions. Please refer to relevant product page for more up-to-date product information and resources.
  • By Senaka Fernando
  • 12 Jan, 2010

Table of Contents

1. Introduction

In default installations of WSO2 Carbon 2.0.x based products, users may be able to access resources stored on the registry repository, via the REST-ful API, without logging in.

This issue applies to the registry component of all Carbon 2.0.x products. This includes WSO2 Governance Registry


Please Note that this issue does not apply to products based on versions prior to version 2.0.0 of the WSO2 Carbon platform

2. Cause

The default permission settings of WSO2 Carbon 2.0.0 and later versions grants all users, read access to all resources on the registry on a standard installation.

3. Resolution

This patch, adds a new user guest, who belongs to role guests. The REST-ful API will utilize an instance of the registry belonging to the user guest. This user does not inherit any read permissions specified, and therefore is unable to browse/access resources.

Please note that you do not need to cleanCache. Using cleanCache will remove previously installed P2 features.

WSO2 Carbon 2.0.0 based products → upgrade to WSO2 Carbon 2.0.2 and then apply this patch

WSO2 Web Services Application Server 3.1.0 → WSO2 Web Services Application Server 3.1.2 and then apply this patch
WSO2 Enterprise Service Bus 2.1.0 → WSO2 Enterprise Service Bus 2.1.2 and then apply this patch
WSO2 Governance Registry 3.0.0 → WSO2 Governance Registry 3.0.2 and then apply this patch
WSO2 Identity Server 2.0.0 → WSO2 Identity Server 2.0.2 and then apply this patch
 

WSO2 Carbon 2.0.1 → upgrade to Carbon 2.0.2 and then apply this patch

WSO2 Web Services Application Server 3.1.1 → WSO2 Web Services Application Server 3.1.2 and then apply this patch
WSO2 Enterprise Service Bus 2.1.1 → WSO2 Enterprise Service Bus 2.1.2 and then apply this patch
WSO2 Governance Registry 3.0.1 → WSO2 Governance Registry 3.0.2 and then apply this patch
WSO2 Identity Server 2.0.1 → WSO2 Identity Server 2.0.2 and then apply this patch
WSO2 Mashup Server 2.0.0 → WSO2 Mashup Server 2.0.1 and then apply this patch
 

WSO2 Carbon 2.0.2 → Apply this patch

WSO2 Web Services Application Server 3.1.2 → Apply this patch
WSO2 Enterprise Service Bus 2.1.2 → Apply this patch
WSO2 Governance Registry 3.0.2 → Apply this patch
WSO2 Identity Server 2.0.2 → Apply this patch
WSO2 Mashup Server 2.0.1 → Apply this patch
WSO2 Business Process Server 1.1.0 → Apply this patch
WSO2 Data Services Server 2.2.0 → Apply this patch
 

4. Known Limitations

1. If there is an internal user called guest, this patch will not solve this security issue.

Workaround:

Remove the guest user before applying the patch. Instructions to search for users by user name can be found at https://wso2.org/project/registry/3.0.2/docs/user/docs/userguide.html. Please note that this will remove all the current permissions granted to this user.
Once the patch has been applied, a user by the name guest will be created automatically. All previously assigned permissions will have to be added manually.

 

2. The older Atom-based Remote Registry model does not work with this patch

Workaround:

Switch to the new JDBC-based Remote Registry model.

 

3. This patch will create a user called guest by default. Hence, if there is a user called guest in an external user-store (e.g. LDAP, AD), that user will no longer be able to use the product on which this patch has been applied.This is because the automatically created internal
guest user takes precedence over the guest user in an external user store.

 

4. If there is a user called guest in an external user-store (e.g. LDAP, AD), with permissions to read/write/delete resources, such permissions would be inherited by the automatically created guest user.
 
Workaround:
Remove the existing permissions for the guest user, before or after applying this patch. Instructions on changing registry resource permissions can be found at https://wso2.org/project/registry/3.0.2/docs/user_guide/resource_ui.html#Permissions.

 

5. If there is a role called guests which has read privileges to the registry, before applying this patch, this patch will not take effect.

 

Workaround:

Remove the existing guests role. Please note that this will remove all the current permissions granted to this role. Once the patch has been applied, a role by the name guests will be created automatically. All previously assigned permissions will have to be added manually.
Note that due to a limitation in the current implementation you cannot rename a role. Hence, the aforementioned instructions.

 

5. This Fix Applies To

WSO2 Carbon 2.0.0

WSO2 Web Services Application Server 3.1.0
WSO2 Enterprise Service Bus 2.1.0
WSO2 Governance Registry 3.0.0
WSO2 Identity Server 2.0.0


WSO2 Carbon 2.0.1

WSO2 Web Services Application Server 3.1.1
WSO2 Enterprise Service Bus 2.1.1
WSO2 Governance Registry 3.0.1
WSO2 Identity Server 2.0.1
WSO2 Mashup Server 2.0.0


WSO2 Carbon 2.0.2

WSO2 Web Services Application Server 3.1.2
WSO2 Enterprise Service Bus 2.1.2
WSO2 Governance Registry 3.0.2
WSO2 Identity Server 2.0.2
WSO2 Mashup Server 2.0.1
WSO2 Business Process Server 1.1.0
WSO2 Data Services Server 2.2.0

 

Author

Senaka Fernando, Software Engineer, WSO2 Inc., senaka at wso2 dot com