Security Advisories for TIBCO Products

July 29, 2008
TIBCO Hawk, TIBCO Runtime Agent, TIBCO iProcess Engine, and TIBCO Mainframe Service Tracker

We would like to call your attention to a security advisory for TIBCO Hawk®. TIBCO Hawk is delivered as both a standalone offering and a component of:

• TIBCO Runtime Agent™
• TIBCO iProcess™ Engine
• TIBCO Mainframe Service Tracker™

TIBCO Runtime Agent is bundled for download with additional TIBCO products that are listed in a FAQ that is available with copies of the advisories. These advisories describe vulnerabilities that have been discovered in the Hawk® tibhawkhma executable and the Hawk AMI C client library.

These vulnerabilities impact TIBCO products that bundle the tibhawkhma executable, or include the Hawk AMI C client library. To fully secure current Hawk implementations, customers will need to upgrade to the latest version of Hawk, and upgrade to the latest version of products with built-in dependencies on the affected Hawk components. Customers may need to re-link or restart any of their own applications that utilize the Hawk AMI C client.

New Versions of Hawk, Runtime Agent, iProcess Engine, and Mainframe Service Tracker Available

Please be assured that we have taken proactive steps to address these issues, including the release of new versions of Hawk (4.8.1), Runtime Agent (5.6.0), iProcess Engine 10.6.3 and 11.0.1) and Mainframe Service Tracker (1.1.0). We have updated the soft links of dependent products such as ActiveMatrix BusinessWorks™ to provide access to the updated version of Runtime Agent. TIBCO customers and OEM partners with current maintenance contracts can obtain the latest releases of these products from their standard TIBCO fulfillment channel. TIBCO recommends upgrading to the latest versions of these products as quickly as possible.

April 9, 2008
TIBCO Rendezvous and TIBCO Enterprise Message Service Security Advisories

We would like to call your attention to security advisories for TIBCO Enterprise Message Service™ and TIBCO Rendezvous®. Both products are delivered as standalone offerings, and included or bundled with:

• TIBCO Rendezvous® TX
• TIBCO Rendezvous® DataSecurity
• TIBCO Hawk®
• TIBCO Runtime Agent™
• TIBCO Adapter™ for Files z/OS
• TIBCO Substation ES™
• TIBCO iProcess™ Engine
• TIBCO ActiveMatrix BusinessWorks™ Service Engine
  • Bundled for download with ActiveMatrix BusinessWorks™
• TIBCO ActiveMatrix™ Service Grid
• TIBCO ActiveMatrix™ Service Bus

These advisories describe vulnerabilities that have been discovered in Rendezvous® (including Rendezvous® OS390 and Rendezvous® Server In-Process Module Add-on) clients and daemons, and Enterprise Message Service™ servers.

These vulnerabilities impact TIBCO products that link with the Rendezvous client libraries, or bundle the Rendezvous daemons, Rendezvous client libraries, or Enterprise Message Service servers. To fully secure current Rendezvous and Enterprise Message Service implementations, customers will need to upgrade to the latest versions of these products, and upgrade to the latest version of products with built-in dependencies on either Rendezvous or Enterprise Message Service.

New Versions of Rendezvous and Enterprise Message Service Available

Please be assured that we have taken proactive steps to address these issues, including the release of new versions of Rendezvous (8.1.0), Enterprise Message Service (4.4.3), and any products with built-in dependencies. We have updated the soft links of dependent products such as ActiveMatrix BusinessWorks™ to provide the necessary updates to Rendezvous and/or Enterprise Message Service. TIBCO customers and OEM partners with current maintenance contracts can obtain the latest releases of these products from their standard TIBCO fulfillment channel. TIBCO recommends upgrading to the latest versions of these products as quickly as possible.

January 15, 2008
TIBCO SmartSockets, TIBCO SmartSockets Product Family Modules (RTworks), and TIBCO Enterprise Message Service Security Advisories

Security advisories for TIBCO SmartSockets®, TIBCO SmartSockets® Product Family Modules (formerly RTworks), and TIBCO Enterprise Message Service™ have been coordinated with an independent advisory distribution from iDefense Labs. These advisories describe vulnerabilities that have been discovered in TIBCO SmartSockets, TIBCO SmartSockets Product Family Modules, and related TIBCO products that use or can potentially leverage TIBCO SmartSockets client libraries.

These issues may impact customers who utilize SmartSockets® or SmartSockets® Product Family Modules directly, as well as those who utilize SmartSockets client libraries in products such as TIBCO Enterprise Message Service, TIBCO ActiveMatrix™ Service Grid, TIBCO ActiveMatrix™ Service Bus, and TIBCO ActiveMatrix BusinessWorks™ via the SmartSockets bridge in the Enterprise Message Service™ server. Guidelines for determining whether your TIBCO software installation is affected can be found at the FAQ pages listed above.

New Versions of SmartSockets, SmartSockets Product Family Modules, and Enterprise Message Service Now Available

Please be assured that we have taken proactive steps to address these issues, including the release of new versions of SmartSockets (v6.8.1), SmartSockets Product Family Modules, formerly RTworks (v4.0.4) and Enterprise Message Service (v4.4.2) that eliminate the vulnerabilities. Further, Enterprise Message Service has been updated to version 4.4.2 in the product bundles for TIBCO ActiveMatrix Service Grid 2.0.0, TIBCO ActiveMatrix Service Bus 2.0.0, and TIBCO ActiveMatrix BusinessWorks 5.6.0. TIBCO customers with current maintenance contracts can obtain the latest releases of these products from their standard TIBCO download site. TIBCO recommends that customers upgrade to the latest versions of these products as quickly as possible.

June 5, 2006
TIBCO Rendezvous and TIBCO Hawk Support Products

We would like to call your attention to security advisories for TIBCO Rendezvous® and TIBCO Hawk®, which have been sent to the CERT Coordination Center for distribution. These advisories describe vulnerabilities that have been discovered in TIBCO Rendezvous and TIBCO Hawk. The affected components are RVSD, RVRD, RVSRD, RVA, RVCACHE and TIBHAWKHMA. The basic RVD is not affected.

These issues may impact customers who utilize Rendezvous® or Hawk® directly, as well as those who utilize Rendezvous in support of products such as TIBCO BusinessWorks™, TIBCO BusinessConnect™, TIBCO BusinessEvents™, and TIBCO PortalBuilder® via the TIBCO Runtime Agent™. Guidelines for determining whether your TIBCO software installation is affected can be found at the FAQ pages listed above.

New Versions of Rendezvous, Hawk, and Runtime Agent™ Available

Please be assured that we have taken proactive steps to address these issues, including the release of new versions of Rendezvous (v7.5.1), Hawk (v4.6.1) and Runtime Agent (v5.4.0) that eliminate the vulnerabilities. TIBCO customers with current maintenance contracts can obtain the latest releases of these products from their standard TIBCO download site. TIBCO recommends that customers upgrade to the latest versions of these products as quickly as possible.

Regarding Existing Installations

For those unable to upgrade at this time, the web links below provide remedial administrative actions that can be taken to mitigate the impact on existing installations. Many customers will find that their TIBCO software installations do not include the affected components, or that mitigating administrative actions have already been implemented as part of standard operating procedures.

For More Information

For more detailed information, including how to access TIBCO Software maintenance downloads, installation instructions, remedial actions for existing installations, frequently asked questions, and contact information through which additional questions can be answered, please view the appropriate Advisory FAQ has listed above.

###

The information on this page is being provided to you on an "AS IS" and "AS-AVAILABLE" basis. The issues described on this page may or may not impact your system(s). TIBCO makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT TIBCO SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. The information on this page is being provided to you under the terms of your license and/or services agreement with TIBCO, and may be used only for the purposes contemplated by the agreement. If you do not have such an agreement with TIBCO, this information is provided under the TIBCO.com Terms of Use, and may be used only for the purposes contemplated by such Terms of Use.