Published: 12th August 2016
WSO2 Identity Server 5.1.0 is vulnerable to XML External Entity (XXE) attack in the XACML flow.
WSO2 Identity Server is vulnerable to XXE attack which is a type of attack against an application that parses XML input. When Identity Server used with its XACML feature, it parses XACML requests and XACML policies which contain XML entries according to the XACML specification. This attack occurs when a XACML request or a policy containing a reference to an external entity is processed by a weakly configured XML parser.
In order to change the XACML policies, an attacker should be a privileged person and have access to XACML features in the Identity Server’s management console or “EntitlementPolicyAdminService” admin service. Similarly, in order to send a malicious XACML request, an attacker should be a privileged user having access to XACML features in the Identity Server’s management console or “EntitlementService” admin service.
XXE attacks can affect any trusted system respective to the machine where the parser is located. This attack can include disclosing local files, denial of service and server-side request forgery, port scanning and other system impacts on affected systems.
Apply the following patches corresponding to the Identity Server version, and follow the instructions in the README file. Patches can also be downloaded from http://wso2.com/security-patch-releases/.
If you have any questions, post them to firstname.lastname@example.org.
|IS||WSO2 Identity Server||5.1.0||WSO2-CARBON-PATCH-4.4.0-0231|
If you are using newer versions of the products than the ones mentioned in the “SOLUTION” section, this vulnerability is fixed.
WSO2 thanks, John Page aka hyp3rlinx for responsibly reporting the identified issues and working with us as we addressed them.