||
Skip to end of metadata
Go to start of metadata

Published: 12th August 2016

OVERVIEW

WSO2 products are vulnerable to possible server shutdown through a Cross Site Request Forgery (CSRF) attack.


DESCRIPTION

The attack involves tricking a privileged user to initiate a request to shutdown WSO2 Servers.

 

SOLUTION

The CSRF Valve improved to differentiate between the malicious requests from the legitimate requests by validating the referer header of the incoming request.

Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from http://wso2.com/security-patch-releases/.

If you have any questions, post them to security@wso2.com. 


Code

Product

Version

Patch

AS

WSO2 Application Server

5.3.0

WSO2-CARBON-PATCH-4.4.0-0218

BPS

WSO2 Business Process Server

3.5.1

WSO2-CARBON-PATCH-4.4.0-0215

BRS

WSO2 Business Rules Server

2.2.0

WSO2-CARBON-PATCH-4.4.0-0214

CEP

WSO2 Complex Event Processor

4.1.0

WSO2-CARBON-PATCH-4.4.0-0214

DAS

WSO2 Data Analytics Server

3.0.1

WSO2-CARBON-PATCH-4.4.0-0214

DS

WSO2 Dashboard Server

2.0.0

WSO2-CARBON-PATCH-4.4.0-0214

DSS

WSO2 Data Services Server

3.5.0

WSO2-CARBON-PATCH-4.4.0-0213

EMM

WSO2 Enterprise Mobility Manager

2.0.1

WSO2-CARBON-PATCH-4.4.0-0214

ES

WSO2 Enterprise Store

2.0.0

WSO2-CARBON-PATCH-4.4.0-0218

ESB

WSO2 Enterprise Service Bus

4.9.0

WSO2-CARBON-PATCH-4.4.0-0218

IS

WSO2 Identity Server

5.1.0

WSO2-CARBON-PATCH-4.4.0-0214

MB

WSO2 Message Broker

3.1.0

WSO2-CARBON-PATCH-4.4.0-0214

ML

WSO2 Machine Learner

1.1.0

WSO2-CARBON-PATCH-4.4.0-0214



NOTES

If you are using newer versions of the products than the ones mentioned in the “SOLUTION” section, this vulnerability is fixed. 


CREDITS

WSO2 thanks, John Page aka hyp3rlinx for responsibly reporting the identified issues and working with us as we addressed them.


  • No labels