Security Patch Releases

Data Analytics Server

<< All Products

Security PatchProduct VersionDescription
WSO2-CARBON-PATCH-4.4.0-08313.1.0Release Date - Sep 4, 2017

With the Apache Tomcat upgrade, following Common Vulnerability Exposure is fixed. CVE-2017-5647: Information Disclosure

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-11523.1.0Release Date - Sep 4, 2017

With the Apache Tomcat upgrade, following Common Vulnerability Exposure is fixed. CVE-2017-5647: Information Disclosure

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-11053.1.0Release Date - Sep 4, 2017

In Carbon Tenant Management UI, the identified XSS attack can be performed when a user injects a malicious executable script as a user input through carbon management console. This issue has been fixed in affected component versions with security patch/update given for specific products.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-12183.1.0Release Date - Sep 4, 2017

This addresses a potential XSS vulnerability identified in Dashboard Portal login-controller when Single Sign On is enabled. It has been identified that two such parameters displayed in the HTML page result were not properly encoded before displaying

Security Advisory Link


This addresses a potential XSS vulnerability identified in Dashboard Portal login-controller when Single Sign On is enabled. It has been identified that HTTP headers in the request can be injected with malicious payloads due to improper encoding before displaying the the web page.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-11843.1.0Release Date - Sep 4, 2017

A stored XSS attack could be performed in the Management Console by filling a form field with a harmful script and later executing it when trying to perform a UI action based on that data. This has been possible due to the utility JavaScript function used to display the pop messages related to that UI action has not been properly encoded to prevent XSS.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-11953.1.0Release Date - Sep 4, 2017

A stored XSS attack could be performed in the Management Console by filling a form field with a harmful script and later executing it when trying to perform a UI action based on that data. This has been possible due to the utility JavaScript function used to display the pop messages related to that UI action has not been properly encoded to prevent XSS.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-13103.1.0Release Date - Sep 4, 2017

A reflected XSS attack could be performed in the Registry Browser of the Management Console by sending an HTTP GET request with a harmful request parameter.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-14183.1.0Release Date - Sep 4, 2017

This vulnerability is discovered in the message dialog page of the Management Console. However, exploiting the vulnerability remotely is not possible as the malicious script should be injected to an input and given input should be displayed back to the user in a message dialog box.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-10213.1.0Release Date - Apr 30, 2017

Management Console is vulnerable to a potential authentication bypass vulnerability that let's attackers view a restricted web page.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-09133.1.0Release Date - Apr 30, 2017

Management Console is vulnerable to a potential sensitive data exposure vulnerability through the advanced search option

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-08673.1.0Release Date - Apr 30, 2017

The tenant creation page of WSO2 products auto completes the passwords in the user’s web browser when the password is stored in the browser.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-06123.1.0Release Date - Jan 31, 2017

A vulnerability exists in the WSO2 Thrift data publisher client where the password used for authentication is exposed in the log in some situations.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-06623.1.0Release Date - Jan 31, 2017

Potential XSS vulnerability in Carbon Governance, Carbon Registry, Tenant management, Carbon Webapp Management components.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-06653.1.0Release Date - Jan 31, 2017

Potential XSS vulnerability in Carbon Governance, Carbon Registry, Tenant management, Carbon Webapp Management components.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-05813.1.0Release Date - Jan 31, 2017

Potential Arbitrary File Read(AFR) and Arbitrary Directory Read (ADR) vulnerabilities in carbon-commons component

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-06283.1.0Release Date - Jan 31, 2017

Potential XML External Entity (XXE) vulnerability in Carbon Try-it tool of WSO2 Carbon Commons component

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-07693.1.0Release Date - Jan 31, 2017

Potential Stored XSS vulnerability in WSO2 Server Roles Management UI component

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-07183.1.0Release Date - Jan 31, 2017

Potential XSS vulnerability in WSO2 Carbon UI and Message Flows UI components

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-06303.1.0Release Date - Jan 31, 2017

Potential XSS vulnerability in WSO2 Carbon New Data Sources UI component

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-07453.1.0Release Date - Jan 31, 2017

Potential Reflected XSS vulnerability in the Event Simulator, Event Tracer and Template Manager components

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-05383.1.0Release Date - Nov 8, 2016

When a user browses a pages where it contains some sensitive data, and logout from the management console, still users can go back (by using browser’s Back button) and view that page without login due to browser cache.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-03293.0.1Release Date - Aug 31, 2016

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-03483.0.1Release Date - Aug 31, 2016

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-02403.0.1Release Date - Aug 12, 2016

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-02353.0.1Release Date - Aug 12, 2016

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-02143.0.1Release Date - Aug 12, 2016

Preventing a possible server shutdown through a Cross Site Request Forgery (CSRF) attack.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-02033.0.1 / 3.0.0Release Date - Aug 12, 2016

Preventing a possible server shutdown through a Cross Site Request Forgery (CSRF) attack.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-01763.0.0 / 3.0.1Release Date - May 9, 2016

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.
WSO2-CARBON-PATCH-4.4.0-00443.0.1Release Date - Jan 15, 2016

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.
WSO2-CARBON-PATCH-4.4.0-00423.0.0Release Date - Jan 15, 2016

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met. 1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker). 2. Invoker and the admin service belong to two tenants. 3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker). 4. The attacker must be a valid user in any tenant.
WSO2-CARBON-PATCH-4.4.0-00163.1.0 / 3.0.0Release Date - Nov 25, 2015

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here