||
Skip to end of metadata
Go to start of metadata

Published: 8th November 2016


AFFECTED PRODUCTS


WSO2 Application Server 5.3.0
WSO2 Business Rules Server 2.2.0
WSO2 Dashboard Server 2.0.0
WSO2 Enterprise Mobility Manager 2.0.1
WSO2 Message Broker 3.1.0


OVERVIEW


Apache Axis2 1.6.2 and earlier versions do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or Subject Alternative Name (subjectAltName) field of the X.509 certificate.


DESCRIPTION

Apache Axis2 1.6.2 uses commons-httpclient-3.1.0 and host name verification should be enabled in the commons-httpclient.


IMPACT

This allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.


SOLUTION

Apply the following patches based on your product version by following the instructions in the README file. If you have any questions, post them to security@wso2.com.

Please download the relevant patches based on the products you use following the matrix below. Patches can also be downloaded from http://wso2.com/security-patch-releases/.


CODE

Product

Version

Patch

AS

WSO2 Application Server

5.3.0

WSO2-CARBON-PATCH-4.4.0-0514

BRS

WSO2 Business Rules Server

2.2.0

WSO2-CARBON-PATCH-4.4.0-0514

DS

WSO2 Dashboard Server

2.0.0

WSO2-CARBON-PATCH-4.4.0-0514

EMM

WSO2 Enterprise Mobility Manager

2.0.1

WSO2-CARBON-PATCH-4.4.0-0514

MB

WSO2 Message Broker

3.1.0

WSO2-CARBON-PATCH-4.4.0-0514


NOTES


If you are using newer versions of the products than the ones mentioned in the “SOLUTION” section, this vulnerability is fixed.


  • No labels