Friday, May 15, 2015

Two Security Patches Issued Publicly for WSO2 Identity Server 5.0.0

Wolfgang Ettlinger (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab contacted WSO2 security team on 19th March and reported following three vulnerabilities in WSO2 Identity Server 5.0.0.

1) Reflected cross-site scripting (XSS, IDENTITY-3280)

Some components of the WSO2 Identity Server are vulnerable to reflected cross-site scripting vulnerabilities. The effect of this attack is minimal because WSO2 Identity Server does not expose cookies to JavaScript.

2) Cross-site request forgery (CSRF, IDENTITY-3280)

On at least one web page, CSRF protection has not been implemented. An attacker on the internet could lure a victim, that is logged in on the Identity Server administration web interface, on a web page e.g. containing a manipulated tag. The attacker is then able to add arbitrary users to the Identity Server.

3) XML external entity injection (XXE, IDENTITY-3192)

An unauthenticated attacker can use the SAML authentication interface to inject arbitrary external XML entities. This allows an attacker to read arbitrary local files. Moreover, since the XML entity resolver allows remote URLs, this vulnerability may allow to bypass firewall rules and conduct further attacks on internal hosts. This vulnerability was found already before being reported by Wolfgang Ettlinger and all our customers were patched. But the corresponding patch was not issued publicly. Also this attack is not harmful as it sounds to be since in all our production deployments, WSO2 Identity Server is run as a less privileged process, which cannot be used to exploit or gain access to read arbitrary local files.

WSO2 security team treats all the vulnerabilities that are reported to, top most important and we contacted the reporter immediately and started working on the fix. The fixes were done on the reported components immediately - but we wanted to make sure we build a generic solution where all the possible XSS and CSRF attacks are mitigated centrally.

Once that solution is implemented as a patch to the Identity Server 5.0.0 - we tested the complete product using OWASP Zed Attack Proxy and CSRFTester. After testing almost all the Identity Server functionality with the patch - we released it to all our customers two weeks prior to the public disclosure date. The patch for XXE was released few months back. Also I would like to confirm that none of the WSO2 customers were exploited/attacked using any of theses vulnerabilities.

On 13th May, parallel to the public disclosure, we released both the security patches publicly. You can download following patches from
  • WSO2-CARBON-PATCH-4.2.0-1194 
  • WSO2-CARBON-PATCH-4.2.0-1095 
WSO2 thanks Wolfgang Ettlinger (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab for responsibly reporting the identified issues and working with us as we addressed them, at the same time we are disappointed with the over-exaggerated article published on threatpost. The article was not brought into the attention of WSO2 security team before its being published, although the WSO2 security team responded to the query by the reporter immediately over email. Anyway we are fully aware that such reports are unavoidable and not under our control.

WSO2 security team is dedicated to protect all its customers and the larger community around WSO2 from all sort of security vulnerabilities. We appreciate your collaboration and please report any of the security issues you discover related to WSO2 products to 


阿童木 said...

Patek Philippe and Rolex consistently appear to apperception if top dollar watches appear up in conversation. Examples that were beat alone on break and in excellent or abutting to excellent condition, of course, accompany the a lot of money. Watches with provenance--examples endemic by celebrities or rolex replica fabricated especially for acclaimed individuals--always accept added amount if replica watches uk they appear with adapted documentation.With that said, in her book Vintage Wristwatches (Krause Publications), above Antiques Roadshow adjudicator Reyne Haynes (who now goes by the name Reyne Hirsch) credibility out, "Much like affairs a rolex replica watches monogrammed section of argent collectors generally don't wish anyone else's name, business affiliation, marriage anniversary.

chenmeinv0 said...

adidas yeezy
thunder jerseys
knicks jerseys
kate spade outlet
hilfiger jeans
ray ban sunglasses
uggs outlet
ralph lauren kids
hollister outlet
ugg pas cher

raybanoutlet001 said...

true religion outlet
ferragamo outlet
giants jersey
true religion outlet
ray ban sunglasses
cheap ray ban sunglasses
ralph lauren polo
coach outlet
dolphins jerseys
michael kors outlet

1111141414 said...

nike zoom
longchamp le pliage
hogan outlet online
adidas gazelle
michael kors outlet online
nike lebron 14
nike huarache
hermes belt
cheap jordans
huarache shoes