||
Skip to end of metadata
Go to start of metadata

Published: 12th August 2016


OVERVIEW

WSO2 products are vulnerable to Local File Inclusion (LFI) issue via LogViewer Admin Service.


DESCRIPTION 

An authenticated user can download configuration files in the filesystem via downloadArchivedLogFiles operation in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. <WSO2_PRODUCT_HOME>/repository/logs), hence can access any file in the file system.


IMPACT

An authorized user with admin privileges can download any file in the file system through LogViewer admin service.


SOLUTION

Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from http://wso2.com/security-patch-releases/.

If you have any questions, post them to security@wso2.com.


Code

Product

Version

Patch

AS

WSO2 Application Server

5.3.0

WSO2-CARBON-PATCH-4.4.0-0202

BPS

WSO2 Business Process Server

3.5.1

WSO2-CARBON-PATCH-4.4.0-0204

BRS

WSO2 Business Rules Server

2.2.0

WSO2-CARBON-PATCH-4.4.0-0203

CEP

WSO2 Complex Event Processor

4.1.0

WSO2-CARBON-PATCH-4.4.0-0203

DAS

WSO2 Data Analytics Server

3.0.1

WSO2-CARBON-PATCH-4.4.0-0203

DS

WSO2 Dashboard Server

2.0.0

WSO2-CARBON-PATCH-4.4.0-0203

DSS

WSO2 Data Services Server

3.5.0

WSO2-CARBON-PATCH-4.4.0-0203

EMM

WSO2 Enterprise Mobility Manager

2.0.1

WSO2-CARBON-PATCH-4.4.0-0203

ES

WSO2 Enterprise Store

2.0.0

WSO2-CARBON-PATCH-4.4.0-0201

ESB

WSO2 Enterprise Service Bus

4.9.0

WSO2-CARBON-PATCH-4.4.0-0202

GREG

WSO2 Governance Registry

5.2.0

WSO2-CARBON-PATCH-4.4.0-0204

IS

WSO2 Identity Server

5.1.0

WSO2-CARBON-PATCH-4.4.0-0203

MB

WSO2 Message Broker

3.1.0

WSO2-CARBON-PATCH-4.4.0-0203

ML

WSO2 Machine Learner

1.1.0

WSO2-CARBON-PATCH-4.4.0-0202 


NOTES

If you are using newer versions of the products than the ones mentioned in the “SOLUTION” section, this vulnerability is fixed.


CREDITS

WSO2 thanks, John Page aka hyp3rlinx for responsibly reporting the identified issues and working with us as we addressed them.

 


  • No labels