Security Patch Releases

Identity Server

<< All Products

Security PatchProduct VersionDescription
WSO2-CARBON-PATCH-4.4.0-47785.8.0Release Date - Oct 4, 2019

Potential Cross-Site Scripting (XSS) vulnerabilities have been identified in the authentication endpoint web application in WSO2 products.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-47285.8.0Release Date - Oct 4, 2019

A vulnerability has been detected when mapping Role with Scope. IS allows mapping scope with roles for a specific tenant with the users from any other different tenants

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-46685.8.0Release Date - Oct 4, 2019

A verbose error message vulnerability has been identified in the management console.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-51165.8.0Release Date - Oct 4, 2019

A possible Cross-Site Scripting (XSS) vulnerability has been detected in the management console.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-49945.8.0Release Date - Oct 4, 2019

A possible Cross-Site Scripting (XSS) vulnerability has been detected in the management console.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-35375.7.0Release Date - Jan 28, 2019

A potential Reflected Cross-Site Scripting (XSS) vulnerability in the Management Console.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-09915.3.0Release Date - Sep 4, 2017

In several versions of the WSO2 Workflow Engine Profile, a XSS vulnerability has been discovered which affects all versions above 5.0.7 of the Identity Workflow implementation. The older versions of WSO2 Identity which are not listed in this advisory are not vulnerable to this attack.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-11585.3.0Release Date - Sep 4, 2017

With the Apache Tomcat upgrade, following Common Vulnerability Exposure is fixed. CVE-2017-5647: Information Disclosure

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-11155.3.0Release Date - Sep 4, 2017

In Carbon Tenant Management UI, the identified XSS attack can be performed when a user injects a malicious executable script as a user input through carbon management console. This issue has been fixed in affected component versions with security patch/update given for specific products.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-12175.3.0Release Date - Sep 4, 2017

A Stored XSS attack could be performed in the Management Console by sending a HTTP POST request with a harmful script which gets stored in the database and later gets executed when trying to perform a UI action based on that data. This has been possible due to the unavailability of proper encoding for the fields displayed in the web page.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-12195.3.0Release Date - Sep 4, 2017

Submitting a new entitlement policy set is an administrative functionality done through management console. This should be only permitted with HTTP POST method as it is a state changing operation and all such operations are CSRF protected by default. It has been found that the web page accepts GET requests as well, where the query parameters are not properly encoded when displayed.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-13045.3.0Release Date - Sep 4, 2017

A reflected XSS attack could be performed in the Registry Browser of the Management Console by sending an HTTP GET request with a harmful request parameter.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-14235.3.0Release Date - Sep 4, 2017

This vulnerability is discovered in the message dialog page of the Management Console. However, exploiting the vulnerability remotely is not possible as the malicious script should be injected to an input and given input should be displayed back to the user in a message dialog box.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-09145.3.0Release Date - Apr 30, 2017

Management Console is vulnerable to a potential sensitive data exposure vulnerability through the advanced search option

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-09065.3.0Release Date - Apr 30, 2017

The tenant creation page of WSO2 products auto completes the passwords in the user’s web browser when the password is stored in the browser.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-10245.3.0Release Date - Apr 30, 2017

Management Console is vulnerable to a potential authentication bypass vulnerability that let's attackers view a restricted web page.

Security Advisory Link
Update via WSO2 Update Manager5.2.0Release Date - Nov 8, 2016

When a user browses a page where it contains some sensitive data and logout from the management console, still users can go back (by using browser’s Back button) and view that page without login due to browser cache.

Security Advisory Link
Update via WSO2 Update Manager5.2.0Release Date - Nov 8, 2016

When a user browses a page where it contains some sensitive data and logout from the management console, still users can go back (by using browser’s Back button) and view that page without login due to browser cache.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-03295.1.0Release Date - Aug 31, 2016

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-03555.1.0Release Date - Aug 31, 2016

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-03315.1.0Release Date - Aug 31, 2016

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-02355.1.0Release Date - Aug 12, 2016

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-02145.1.0Release Date - Aug 12, 2016

Preventing a possible server shutdown through a Cross Site Request Forgery (CSRF) attack.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-02035.1.0Release Date - Aug 12, 2016

Preventing a possible server shutdown through a Cross Site Request Forgery (CSRF) attack.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-02415.1.0Release Date - Aug 12, 2016

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link
WSO2-CARBON-PATCH-4.2.0-18264.5.0Release Date - May 9, 2016

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.
WSO2-CARBON-PATCH-4.2.0-18255.0.0 / 4.6.0Release Date - May 9, 2016

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.
WSO2-CARBON-PATCH-4.4.0-01765.1.0Release Date - May 9, 2016

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.
WSO2-CARBON-PATCH-4.4.0-00925.1.0Release Date - Mar 9, 2016

Identity Server uses a cookie called commonAuthId cookie to maintain the SSO session data of the current session. The feature of persisting session data would enable this session data to be persisted in the Identity Server. When persisting happens, the persisted session should be correctly updated to the “DELETE" operation state upon logout. When login request is sent Identity Server will look for a latest active session and will use that if the latest session is an active one. The persisted session is not properly removed after logout. So the previous session can be used to login to the application without providing credentials.
WSO2-CARBON-PATCH-4.4.0-00795.1.0Release Date - Feb 22, 2016

WSO2 Identity Server's Passive STS feature contains a Session Hijacking vulnerability because HTTP request parameter named "SessionDataKey" which used to maintain request state is not invalidated from the cache once it is used.
WSO2-CARBON-PATCH-4.4.0-00735.1.0Release Date - Feb 17, 2016

When the Tenant List Dropdown feature is enabled in WSO2 Identity Server, there is a possibility to modify the displayed list of tenants in the login page of authentication endpoint webapp by an external party.
WSO2-CARBON-PATCH-4.4.0-00475.1.0Release Date - Jan 26, 2016

WSO2 Identity Server Dashboard exposes a session cookie value, and relevant backend session is not invalidated properly upon logout. Furthermore, Dashboard allows its users to access the pages over HTTP, rather than enforcing HTTPS, which could result in sensitive information leakage.
WSO2-CARBON-PATCH-4.4.0-00445.1.0Release Date - Jan 15, 2016

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.
WSO2-CARBON-PATCH-4.2.0-16995.0.0 / 4.6.0 / 4.5.0Release Date - Jan 15, 2016

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.
WSO2-CARBON-PATCH-4.2.0-12615.0.0 / 4.6.0 / 4.5.0Release Date - Dec 11, 2015

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.
WSO2-CARBON-PATCH-4.2.0-12625.0.0 / 4.6.0Release Date - Dec 11, 2015

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.
WSO2-CARBON-PATCH-4.2.0-11934.5.0Release Date - Dec 11, 2015

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.
WSO2-CARBON-PATCH-4.2.0-12355.0.0Release Date - Dec 11, 2015

WSO2 Identity Server versions 4.5.0 / 4.6.0 / 5.0.0 are vulnerable to an elevation of privilege attack. This vulnerability allows attackers to:Reset the password of another user in the system by executing certain operations in the UserIdentityManagementAdminService service. This can result in a user having only ‘login' permission gaining privileged access to the system. The attack is only possible if the attacker has a valid WSO2 Identity Server account.
WSO2-CARBON-PATCH-4.2.0-12684.5.0Release Date - Dec 11, 2015

WSO2 Identity Server versions 4.5.0 / 4.6.0 / 5.0.0 are vulnerable to an elevation of privilege attack. This vulnerability allows attackers to:Reset the password of another user in the system by executing certain operations in the UserIdentityManagementAdminService service. This can result in a user having only ‘login' permission gaining privileged access to the system. The attack is only possible if the attacker has a valid WSO2 Identity Server account.
WSO2-CARBON-PATCH-4.2.0-12704.6.0Release Date - Dec 11, 2015

WSO2 Identity Server versions 4.5.0 / 4.6.0 / 5.0.0 are vulnerable to an elevation of privilege attack. This vulnerability allows attackers to:Reset the password of another user in the system by executing certain operations in the UserIdentityManagementAdminService service. This can result in a user having only ‘login' permission gaining privileged access to the system. The attack is only possible if the attacker has a valid WSO2 Identity Server account.
WSO2-CARBON-PATCH-4.2.0-16365.0.0 / 4.6.0 / 4.5.0Release Date - Nov 5, 2015

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here
WSO2-CARBON-PATCH-4.2.0-14645.0.0 / 4.6.0 / 4.5.0Release Date - Sep 11, 2015

WSO2 products based on Kernel Version 4.1.0 are vulnerable to XSS and CSRF attacks. XSS enables attackers to inject client-side script into web pages viewed by other users, while CSRF forces an end user to execute unwanted actions on a web application to which they are currently authenticated. This vulnerability allows attackers to bypass access controls, such as the same-origin policy and malicious exploitation of a website, where unauthorized commands are transmitted from a user that the website trusts.
WSO2-CARBON-PATCH-4.2.0-10955.0.0 / 4.6.0 / 4.5.0Release Date - Jun 3, 2015

In light of the prevailing vulnerability of Apache WSS4J to Bleichenbacher attacks, we have identified a vulnerability in WSO2 Carbon 4.2.0 products that use WS-Security features from the Apache WSS4J library. Of a number of attacks on PKCS#1 v1.5 Key Transport Algorithm - used to encrypt symmetric keys as part of WS-Security - one attack exploits the ability for WSS4J to leak information on where particular decryption operations fail. This vulnerability has been fixed by generating a new symmetric key, so that the attacker would not be able to find out if the failure was due to decrypting the key or the data. However, it is still possible for attackers to craft a message in order to find out where the decryption failure took place, again leaving WSS4J vulnerable to the original attack. In Apache WSS4J, this is fixed in http://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc, and this fix has been merged in to the WSS4J library used in WSO2 Carbon 4.2.0 products.
WSO2-CARBON-PATCH-4.2.0-11945.0.0Release Date - May 13, 2015

XML External Entity (XXE) attackThe XXE attack is targeted at the federated SAML2 SSO authentication flow, which can be carried out by modifying the SAMLRequest or SAMLResponse parameters. This attack may lead to: Disclosure of confidential data, denial of service, port scanning from the machine where the parser is located, and other system impacts.
WSO2-CARBON-PATCH-4.2.0-12565.0.0Release Date - May 13, 2015

The XSS attack enables attackers to inject client-side scripts into web pages viewed by other users. This attack may lead to : Attackers bypassing access controls such as the same-origin policy. The CSRF attack forces an end user to execute unwanted actions on a web application, in which they're currently authenticated. This attack may lead to : Malicious exploitation of a website, where unauthorized commands are transmitted from a user that the website trusts.