Published: 12th August 2016
Upgrade the embedded Apache Tomcat version to 7.0.69 to support Tomcat level security fixes and Security Headers in HTTP Responses.
With the Apache Tomcat upgrade, following Common Vulnerability Exposures are fixed.
CVE-2015-5174 : Limited directory traversal
CVE-2015-5345 : Directory disclosure
CVE-2015-5346 : Session Fixation
CVE-2015-5351 : CSRF token leak
CVE-2016-0706 : Security Manager bypass
CVE-2016-0714 : Security Manager bypass
CVE-2016-0763 : Security Manager bypass
Supportability for following security headers in HTTP responses are also added with the upgrade.
The WSO2 servers are exposed to known vulnerabilities of Apache Tomcat versions prior to 7.0.69.
Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from http://wso2.com/security-patch-releases/.
For some of the products, there may be two patches (kernel patch and platform patch) that need to be applied. In such situations refrain from restarting the server for each patch, rather apply both the patches and then restart the server.
If you have any questions, post them to [email protected].
|AS||WSO2 Application Server||5.3.0|
|BPS||WSO2 Business Process Server||3.5.1|
|BRS||WSO2 Business Rules Server||2.2.0|
|CEP||WSO2 Complex Event Processor||4.1.0|
|DAS||WSO2 Data Analytics Server||3.0.1|
|DS||WSO2 Dashboard Server||2.0.0|
|DSS||WSO2 Data Services Server||3.5.0|
|EMM||WSO2 Enterprise Mobility Manager||2.0.1|
|ES||WSO2 Enterprise Store||2.0.0|
|ESB||WSO2 Enterprise Service Bus||4.9.0||WSO2-CARBON-PATCH-4.4.0-0237|
|GREG||WSO2 Governance Registry||5.2.0|
|IS||WSO2 Identity Server||5.1.0|
|MB||WSO2 Message Broker||3.1.0||WSO2-CARBON-PATCH-4.4.0-0235|
|ML||WSO2 Machine Learner||1.1.0|
If you are using newer versions of the products than the ones mentioned in the “SOLUTION” section, this vulnerability is fixed.