||
Skip to end of metadata
Go to start of metadata

Published: 31st August 2016


OVERVIEW

A possible session fixation vulnerability exists in WSO2 products that use SAML SSO Carbon Authenticator.


DESCRIPTION

SAML SSO Carbon Authenticator does not renew the session ID upon user login, resulting in possibility to perform a Session Fixation attack.


IMPACT

Malicious user could exploit the Session Fixation vulnerability by fixing a session ID, or gaining access to unauthenticated initial session ID and later use the same to perform session hijacking attack.


SOLUTION

After applying below patches, SAML SSO Carbon Authenticator renews the session ID upon user successful login.
Apply the following patches based on your products by following the instructions in the README file.
if you have any questions, post them to [email protected].

Please download the relevant patches based on the products you use following the matrix below. Patches can also be downloaded from http://wso2.com/security-patch-releases/.


Code

Product

Version

Patch

AS

WSO2 Application Server

5.3.0

WSO2-CARBON-PATCH-4.4.0-0246

BPS

WSO2 Business Process Server

3.5.1

WSO2-CARBON-PATCH-4.4.0-0249

BRS

WSO2 Business Rules Server

2.2.0

WSO2-CARBON-PATCH-4.4.0-0247

CEP

WSO2 Complex Event Processor

4.1.0

WSO2-CARBON-PATCH-4.4.0-0247

DS

WSO2 Dashboard Server

2.0.0

WSO2-CARBON-PATCH-4.4.0-0247

DAS

WSO2 Data Analytics Server

3.0.1

WSO2-CARBON-PATCH-4.4.0-0247

DSS

WSO2 Data Services Server

3.5.0

WSO2-CARBON-PATCH-4.4.0-0245

EMM

WSO2 Enterprise Mobility Manager

2.0.1

WSO2-CARBON-PATCH-4.4.0-0247

IS

WSO2 Identity Server

5.1.0

WSO2-CARBON-PATCH-4.4.0-0247

ML

WSO2 Machine Learner

1.1.0

WSO2-CARBON-PATCH-4.4.0-0245

MB

WSO2 Message Broker

3.1.0

WSO2-CARBON-PATCH-4.4.0-0245


NOTES

If you are using newer versions of the products than the ones mentioned in the “SOLUTION” section, this vulnerability is fixed.

  • No labels