||
Skip to end of metadata
Go to start of metadata

Published: 12th August 2016


OVERVIEW

WSO2 Identity Server 5.1.0 is vulnerable to XML External Entity (XXE) attack in the XACML flow.


DESCRIPTION

WSO2 Identity Server is vulnerable to XXE attack which is a type of attack against an application that parses XML input. When Identity Server used with its XACML feature, it parses XACML requests and XACML policies which contain XML entries according to the XACML specification. This attack occurs when a XACML request or a policy containing a reference to an external entity is processed by a weakly configured XML parser.

In order to change the XACML policies, an attacker should be a privileged person and have access to XACML features in the Identity Server’s management console or “EntitlementPolicyAdminService” admin service. Similarly, in order to send a malicious XACML request, an attacker should be a privileged user having access to XACML features in the Identity Server’s management console or “EntitlementService” admin service.


IMPACT

XXE attacks can affect any trusted system respective to the machine where the parser is located. This attack can include disclosing local files, denial of service and server-side request forgery, port scanning and other system impacts on affected systems.


SOLUTION

Apply the following patches corresponding to the Identity Server version, and follow the instructions in the README file. Patches can also be downloaded from http://wso2.com/security-patch-releases/.

If you have any questions, post them to security@wso2.com. 


CodeProductVersionPatch
ISWSO2 Identity Server5.1.0WSO2-CARBON-PATCH-4.4.0-0231


NOTES

If you are using newer versions of the products than the ones mentioned in the “SOLUTION” section, this vulnerability is fixed.


CREDITS

WSO2 thanks, John Page aka hyp3rlinx for responsibly reporting the identified issues and working with us as we addressed them.

  • No labels