Published: 12th August 2016
WSO2 products are vulnerable to possible server shutdown through a Cross Site Request Forgery (CSRF) attack.
The attack involves tricking a privileged user to initiate a request to shutdown WSO2 Servers.
The CSRF Valve improved to differentiate between the malicious requests from the legitimate requests by validating the referer header of the incoming request.
Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from http://wso2.com/security-patch-releases/.
If you have any questions, post them to email@example.com.
WSO2 Application Server
WSO2 Business Process Server
WSO2 Business Rules Server
WSO2 Complex Event Processor
WSO2 Data Analytics Server
WSO2 Dashboard Server
WSO2 Data Services Server
WSO2 Enterprise Mobility Manager
WSO2 Enterprise Store
WSO2 Enterprise Service Bus
WSO2 Identity Server
WSO2 Message Broker
WSO2 Machine Learner
If you are using newer versions of the products than the ones mentioned in the “SOLUTION” section, this vulnerability is fixed.
WSO2 thanks, John Page aka hyp3rlinx for responsibly reporting the identified issues and working with us as we addressed them.