Security Patch Releases

Dahboard Server

<< All Products

Security PatchProduct VersionDescription
WSO2-CARBON-PATCH-4.4.0-16702.0.0Release Date - Dec 19, 2017

With the Apache Tomcat upgrade, following Common Vulnerability Exposure is fixed. CVE-2017-12616: Information Disclosure

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-02352.0.0Release Date - Sep 4, 2017

With the Apache Tomcat upgrade, following Common Vulnerability Exposure is fixed. CVE-2017-5647: Information Disclosure

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-08872.0.0Release Date - Sep 4, 2017

With the Apache Tomcat upgrade, following Common Vulnerability Exposure is fixed. CVE-2017-5647: Information Disclosure

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-11342.0.0Release Date - Sep 4, 2017

With the Apache Tomcat upgrade, following Common Vulnerability Exposure is fixed. CVE-2017-5647: Information Disclosure

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-11212.0.0Release Date - Sep 4, 2017

In Carbon Tenant Management UI, the identified XSS attack can be performed when a user injects a malicious executable script as a user input through carbon management console. This issue has been fixed in affected component versions with security patch/update given for specific products.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-1174 2.0.0Release Date - Sep 4, 2017

This vulnerability is discovered in the Add User Store page in the Management Console. However, exploiting the vulnerability remotely is not possible as the malicious script should be injected to a textbox after accessing the web page in the user's browser where the script would run as a result of a javascript event bound to the text box.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-11932.0.0Release Date - Sep 4, 2017

A stored XSS attack could be performed in the Management Console by filling a form field with a harmful script and later executing it when trying to perform a UI action based on that data. This has been possible due to the utility JavaScript function used to display the pop messages related to that UI action has not been properly encoded to prevent XSS.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-12022.0.0Release Date - Sep 4, 2017

A stored XSS attack could be performed in the Management Console by filling a form field with a harmful script and later executing it when trying to perform a UI action based on that data. This has been possible due to the utility JavaScript function used to display the pop messages related to that UI action has not been properly encoded to prevent XSS.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-13222.0.0Release Date - Sep 4, 2017

A reflected XSS attack could be performed in the Registry Browser of the Management Console by sending an HTTP GET request with a harmful request parameter.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-14072.0.0Release Date - Sep 4, 2017

This vulnerability is discovered in the message dialog page of the Management Console. However, exploiting the vulnerability remotely is not possible as the malicious script should be injected to an input and given input should be displayed back to the user in a message dialog box.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-08372.0.0Release Date - Apr 30, 2017

Management Console is vulnerable to a potential authorization bypassing vulnerability in the email templates page

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-08942.0.0Release Date - Apr 30, 2017

Management Console is vulnerable to a potential sensitive data exposure vulnerability through the advanced search option

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-08822.0.0Release Date - Apr 30, 2017

The tenant creation page of WSO2 products auto completes the passwords in the user’s web browser when the password is stored in the browser.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-10172.0.0Release Date - Apr 30, 2017

Management Console is vulnerable to a potential authentication bypass vulnerability that let's attackers view a restricted web page.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-06442.0.0Release Date - Jan 31, 2017

Potential XSS vulnerability in Carbon Governance, Carbon Registry, Tenant management, Carbon Webapp Management components.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-06562.0.0Release Date - Jan 31, 2017

Potential XSS vulnerability in Carbon Governance, Carbon Registry, Tenant management, Carbon Webapp Management components.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-07572.0.0Release Date - Jan 31, 2017

Potential Stored XSS vulnerability in WSO2 Server Roles Management UI component

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-07232.0.0Release Date - Jan 31, 2017

Potential XSS vulnerability in WSO2 Carbon UI and Message Flows UI components

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-04632.0.0Release Date - Nov 8, 2016

According to http://www.securityfocus.com/bid/58536/info, H2 database versions prior to 1.3.171 are vulnurable to Remote Security Bypass Vulnerability.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-05142.0.0Release Date - Nov 8, 2016

Apache Axis2 1.6.2 uses commons-httpclient-3.1.0 and host name verification should be enabled in the commons-httpclient.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-05462.0.0Release Date - Nov 8, 2016

An attacker with access to the WSO2 Management Console can input a malicious XXE script in the try-it tool UI menu or can directly attack with xml input and disclose any file located in the file system. The reflected and stored XSS vulnerabilities allow deployment of malicious code in the application by means of providing specifically crafted url to a user.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-05332.0.0Release Date - Nov 8, 2016

When a user browses a pages where it contains some sensitive data, and logout from the management console, still users can go back (by using browser’s Back button) and view that page without login due to browser cache.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-05552.0.0Release Date - Nov 8, 2016

Following pages in the management console were found to be vulnerable to open redirect attacks, in the products mentioned here.XACML Policy Administration Identity Provider Management Workflow Management User Management An attacker can possibly attack the above UI components, by modifying some query parameters that contain a URL value in management console context. They can modify the respective query parameter value such that the management console will redirect the request to the specified URL.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-03842.0.0Release Date - Oct 31, 2016

The Apache Commons Collections library contains various classes in the "functor" package which are serializable and use reflection. This can be exploited for remote code execution attacks by injecting specially crafted objects to applications that de-serialize java objects from untrusted sources.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-04452.0.0Release Date - Oct 31, 2016

When a new username and password is entered in a form and the form is submitted, the browser asks if the password should be saved.Thereafter when the form is displayed, the username and password are filled in automatically or are completed as the username is entered.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-04272.0.0Release Date - Oct 31, 2016

Testing the connection from the WSO2 server’s management console while adding a secondary JDBC user store initiates a HTTP GET request, including the connection credentials in URL query parameters. Thus, database connection credentials get exposed and also gets logged in HTTP access logs.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-04212.0.0Release Date - Sep 30, 2016

Login page hosted in the WSO2 server's "authentication end point" web application is vulnerable to reflected XSS attacks, which enables attackers to inject client side scripts into that page. The respective page used a weak output encoding mechanism which was not sufficient to escape malicious user inputs properly.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-03292.0.0Release Date - Aug 31, 2016

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-03552.0.0Release Date - Aug 31, 2016

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-03402.0.0Release Date - Aug 31, 2016

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-03312.0.0Release Date - Aug 31, 2016

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-02352.0.0Release Date - Aug 12, 2016

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-02142.0.0Release Date - Aug 12, 2016

Preventing a possible server shutdown through a Cross Site Request Forgery (CSRF) attack.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-02032.0.0Release Date - Aug 12, 2016

Preventing a possible server shutdown through a Cross Site Request Forgery (CSRF) attack.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-02432.0.0Release Date - Aug 12, 2016

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link