TIBCO

TIBCO Hawk Security Advisory FAQ

Why is this advisory being issued?

A security vulnerability has been discovered in TIBCO Hawk® version 4.6.0 and earlier.

Which customers are affected?

The vulnerability potentially affects any customer running Hawk® below version 4.6.1, or TIBCO Runtime Agent™ versions below 5.4.

What TIBCO Hawk components are affected?

TIBCO Hawk Microagent (TIBHAWKHMA) is the component affected.

What is the effect of the vulnerability?

The vulnerability could allow an attacker to execute arbitrary code with system privileges on an affected system.  For details, please see the Hawk Security Advisory.

How should customers handle this issue?

Affected customers with current maintenance agreements should upgrade to the latest version of Hawk (v4.6.1 or later), available from your TIBCO download site.

Do I need to upgrade all the TIBCO Hawk components?

TIBCO strongly recommends that all Hawk components be replaced.

What if I cannot upgrade TIBCO Hawk at this time?

If you are not able to upgrade Hawk at this time, steps can be taken to mitigate the vulnerability.  For details on these steps, please see the Hawk Security Advisory.

What other products are affected?

Both Hawk and Runtime Agent™ bundle TIBHAWKHMA as part of the install. No other products are affected.

I have both Hawk and Runtime Agent installed. Does this mean that I have to upgrade both Runtime Agent and Hawk?

No, you need to upgrade either Runtime Agent or Hawk. TIBHAWKHMA will be upgraded in either case.

If you update Runtime Agent (version 5.4 or later) and you have Hawk installed, you will have updated Hawk to version 4.6.1 (or later).

If you have Runtime Agent installed and do not have Hawk installed, you could install Hawk (version 4.6.1 or later) into the TIBCO environment and TIBHAWKHMA will be updated at that time.

If you have Hawk installed and do not have Runtime Agent installed, you could install Runtime Agent into the TIBCO environment and TIBHAWKHMA will be updated at that time.

What if I do not have a current maintenance contract?

The vulnerability can be mitigated without a software upgrade by taking the remedial steps detailed in the Hawk Security Advisory.

How will customers who receive TIBCO software via OEM partners be affected?

Customers of OEM partners can receive new versions of TIBCO products from their OEM partner. Please contact your OEM partner to upgrade.

What is TIBCO doing to prevent future security issues?

TIBCO takes security very seriously. We perform rigorous testing for every product release, as well as code audits, structured walkthroughs and peer reviews. TIBCO has identified security vulnerabilities in products during internal testing and reviews and corrected them prior to release. TIBCO constantly evaluates and augments its security measures and will continue to do so.

Where can I get more information?

If you have a current maintenance contract with TIBCO, you can log a service request with TIBCO Global Support and then call your support telephone number.

###

The information on this page is being provided to you on an "AS IS" and "AS-AVAILABLE" basis. The issues described on this page may or may not impact your system(s). TIBCO makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT TIBCO SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. The information on this page is being provided to you under the terms of your license and/or services agreement with TIBCO, and may be used only for the purposes contemplated by the agreement. If you do not have such an agreement with TIBCO, this information is provided under the TIBCO.com Terms of Use, and may be used only for the purposes contemplated by such Terms of Use.