Security Patch Releases

Message Broker

<< All Products

Security PatchProduct VersionDescription
WSO2-CARBON-PATCH-4.4.0-16593.2.0Release Date - Dec 19, 2017

With the Apache Tomcat upgrade, following Common Vulnerability Exposure is fixed. CVE-2017-12616: Information Disclosure

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-14083.2.0Release Date - Sep 4, 2017

This vulnerability is discovered in the message dialog page of the Management Console. However, exploiting the vulnerability remotely is not possible as the malicious script should be injected to an input and given input should be displayed back to the user in a message dialog box.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-06583.1.0Release Date - Jan 31, 2017

Potential XSS vulnerability in Carbon Governance, Carbon Registry, Tenant management, Carbon Webapp Management components.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-06693.1.0Release Date - Jan 31, 2017

Potential XSS vulnerability in Carbon Governance, Carbon Registry, Tenant management, Carbon Webapp Management components.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-06483.1.0Release Date - Jan 31, 2017

Potential Arbitrary File Read(AFR) and Arbitrary Directory Read (ADR) vulnerabilities in carbon-commons component

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-06003.1.0Release Date - Jan 31, 2017

Potential XSS vulnerability in carbon WSDL tool

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-06173.1.0Release Date - Jan 31, 2017

Potential XML External Entity (XXE) vulnerability WSDL tool of WSO2 Carbon Commons component

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-06323.1.0Release Date - Jan 31, 2017

Potential XML External Entity (XXE) vulnerability in Carbon Try-it tool of WSO2 Carbon Commons component

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-07573.1.0Release Date - Jan 31, 2017

Potential Stored XSS vulnerability in WSO2 Server Roles Management UI component

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-07233.1.0Release Date - Jan 31, 2017

Potential XSS vulnerability in WSO2 Carbon UI and Message Flows UI components

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-07363.1.0Release Date - Jan 31, 2017

Potential XSS vulnerability in WSO2 Carbon UI and Message Flows UI components

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-07663.1.0Release Date - Jan 31, 2017

Potential reflected XSS vulnerability in Message Broker event UI

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-04633.1.0Release Date - Nov 8, 2016

According to http://www.securityfocus.com/bid/58536/info, H2 database versions prior to 1.3.171 are vulnurable to Remote Security Bypass Vulnerability.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-05143.1.0Release Date - Nov 8, 2016

Apache Axis2 1.6.2 uses commons-httpclient-3.1.0 and host name verification should be enabled in the commons-httpclient.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-05463.1.0Release Date - Nov 8, 2016

An attacker with access to the WSO2 Management Console can input a malicious XXE script in the try-it tool UI menu or can directly attack with xml input and disclose any file located in the file system. The reflected and stored XSS vulnerabilities allow deployment of malicious code in the application by means of providing specifically crafted url to a user.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-05333.1.0Release Date - Nov 8, 2016

When a user browses a pages where it contains some sensitive data, and logout from the management console, still users can go back (by using browser’s Back button) and view that page without login due to browser cache.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-05563.1.0Release Date - Nov 8, 2016

Following pages in the management console were found to be vulnerable to open redirect attacks, in the products mentioned here.XACML Policy Administration Identity Provider Management Workflow Management User Management An attacker can possibly attack the above UI components, by modifying some query parameters that contain a URL value in management console context. They can modify the respective query parameter value such that the management console will redirect the request to the specified URL.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-04453.1.0Release Date - Oct 31, 2016

When a new username and password is entered in a form and the form is submitted, the browser asks if the password should be saved.Thereafter when the form is displayed, the username and password are filled in automatically or are completed as the username is entered.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-04313.1.0Release Date - Oct 31, 2016

Testing the connection from the WSO2 server’s management console while adding a secondary JDBC user store initiates a HTTP GET request, including the connection credentials in URL query parameters. Thus, database connection credentials get exposed and also gets logged in HTTP access logs.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-03703.1.0Release Date - Sep 30, 2016

Carbon Metrics component of WSO2 Products are discovered to be vulnerable to XSS attacks, an attacker can possibly attack the management console, via that component, using reflected XSS. He can inject malicious scripts as a part of the URL which will be reflected in that component's pages.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-03863.1.0Release Date - Sep 30, 2016

XSS vulnerabilities were discovered in the Message Flows component. An attacker can possibly attack the management console, via that component, using reflected XSS. He can inject malicious scripts as a part of the URL which will be reflected in that component's pages.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-03533.1.0Release Date - Aug 31, 2016

Preventing possible XML Signature Wrapping (XSW) attacks in SAML 2.0 based Single Sign On (SSO) flow, SAML 2.0 bearer grant type for OAuth token exchange and in SAML 2.0 federated authentication flow.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-02353.1.0Release Date - Aug 12, 2016

Upgrade to Tomcat 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Response

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-02143.1.0Release Date - Aug 12, 2016

Preventing a possible server shutdown through a Cross Site Request Forgery (CSRF) attack.

Security Advisory Link
WSO2-CARBON-PATCH-4.4.0-02033.1.0Release Date - Aug 12, 2016

Preventing a possible server shutdown through a Cross Site Request Forgery (CSRF) attack.

Security Advisory Link
WSO2-CARBON-PATCH-4.2.0-18252.2.0Release Date - May 9, 2016

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.
WSO2-CARBON-PATCH-4.4.0-01763.0.0 / 3.1.0Release Date - May 9, 2016

A user with "/permission/admin/monitor/logging" permission can read any file in the filesystem via getLineNumbers and getLogLinesFromFile operations in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repositories/logs), hence can access any file in the file system.
WSO2-CARBON-PATCH-4.4.0-0044All the Message Broker versions released on the Carbon Kernel 4.4.3Release Date - Jan 15, 2016

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.
WSO2-CARBON-PATCH-4.0.0-0667All the Message Broker versions released on the Carbon Kernel 4.0.2Release Date - Jan 15, 2016

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.
WSO2-CARBON-PATCH-4.4.0-0042All the Message Broker versions released on the Carbon Kernel 4.4.2Release Date - Jan 15, 2016

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met. 1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker). 2. Invoker and the admin service belong to two tenants. 3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker). 4. The attacker must be a valid user in any tenant.
WSO2-CARBON-PATCH-4.4.0-0043All the Message Broker versions released on the Carbon Kernel 4.4.1Release Date - Jan 15, 2016

Due to a vulnerability discovered in the WSO2 authentication module, server admin services can be invoked cross-tenant, given that the following criteria is met.

1. The tenant corresponding to the admin service must have the same username of the invoker (the attacker).
2. Invoker and the admin service belong to two tenants.
3. The tenant corresponding to the admin service must have the right level permissions to the user in its user store with the same username as of the invoker (attacker).
4. The attacker must be a valid user in any tenant.
WSO2-CARBON-PATCH-4.2.0-12612.2.0Release Date - Dec 11, 2015

WSO2 products based on Carbon 4.2.0, using Tomcat version 7.0.34 are vulnerable to a security threat identified as Request Smuggling. According to the Tomcat Security Team, this vulnerability allows attackers to craft a malformed chunk as part of a chucked request, causing Tomcat to read part of the request body as a new request.
WSO2-CARBON-PATCH-4.1.0-0324All the Message Broker versions released on the Carbon Kernel 4.1.0Release Date - Nov 25, 2015

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here
WSO2-CARBON-PATCH-4.0.0-0661All the Message Broker versions released on the Carbon Kernel 4.4.0Release Date - Nov 25, 2015

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here
WSO2-CARBON-PATCH-4.4.0-0016All the Message Broker versions released on the Carbon Kernel 4.4.3Release Date - Nov 25, 2015

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here
WSO2-CARBON-PATCH-4.2.0-1636All the Message Broker versions released on the Carbon Kernel 4.2.0Release Date - Nov 5, 2015

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution. All WSO2 products ship with the Apache Commons Collections library. More information on how to exploit the vulnerability in detail, can be found from here
WSO2-CARBON-PATCH-4.2.0-14642.2.0Release Date - Sep 11, 2015

WSO2 products based on Kernel Version 4.1.0 are vulnerable to XSS and CSRF attacks. XSS enables attackers to inject client-side script into web pages viewed by other users, while CSRF forces an end user to execute unwanted actions on a web application to which they are currently authenticated. This vulnerability allows attackers to bypass access controls, such as the same-origin policy and malicious exploitation of a website, where unauthorized commands are transmitted from a user that the website trusts.
WSO2-CARBON-PATCH-4.2.0-10952.2.0Release Date - Jun 3, 2015

In light of the prevailing vulnerability of Apache WSS4J to Bleichenbacher attacks, we have identified a vulnerability in WSO2 Carbon 4.2.0 products that use WS-Security features from the Apache WSS4J library. Of a number of attacks on PKCS#1 v1.5 Key Transport Algorithm - used to encrypt symmetric keys as part of WS-Security - one attack exploits the ability for WSS4J to leak information on where particular decryption operations fail. This vulnerability has been fixed by generating a new symmetric key, so that the attacker would not be able to find out if the failure was due to decrypting the key or the data. However, it is still possible for attackers to craft a message in order to find out where the decryption failure took place, again leaving WSS4J vulnerable to the original attack. In Apache WSS4J, this is fixed in http://ws.apache.org/wss4j/advisories/CVE-2015-0226.txt.asc, and this fix has been merged in to the WSS4J library used in WSO2 Carbon 4.2.0 products.