May 15, 2015
CVE-2015-3456 - aka VENOM
See: : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456

Status

TIBCO Software Inc. has been made aware of this vulnerability. 

Product(s) Affected

There are no TIBCO products or services that use Xen, KVM, QEMU or related components affected by this CVE. 


Notes

Please check for Late Breaking News on TIBCO Support Central.



March 03, 2015
CVE-2015-0204 - aka FREAK
See : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204

Status

TIBCO is currently assessing the impact of this vulnerability to our products.  This vulnerability is limited in scope to OpenSSL-encrypted systems. As more information becomes available, it will be published via Late Breaking News (LBNs) on TIBCO Support Central (support.tibco.com).  Due to the nature of this vulnerability, some issues may be mitigated by default and others may be mitigated via configuration as per CVE-2015-0204.  TIBCO is currently investigating which issues are mitigated by default, which can be mitigated by configuration and which, if any, require new software releases.

Product(s) Affected

TIBCO Software Inc. has determined that the following products are affected:

  • TIBCO Enterprise Message Service™ (EMS) - easily configured, consult the documentation on the attribute "ssl_server_ciphers" 
  • TIBCO Enterprise Message Service™ Appliance and High Performance Edition Appliance - Same as the software version, easily configured.
  • TIBCO Rendezvous® (RV) - TBD - not vulnerable from RV Client to RV Daemon
  • TIBCO LogLogic® Log Management Intelligence  - TBD - some interfaces are configurable
  • TIBCO LogLogic® Enterprise Virtual Appliance - TBD - some interfaces are configurable

Notes

Please check for Late Breaking News on TIBCO Support Central.



January 27, 2015
CVE-2015-0235 - aka GHOST
See : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235

Status

TIBCO Software Inc. has been made aware of this vulnerability. LBNs are in the process of being published as needed;  see below.

Product(s) Affected

TIBCO Software Inc. has determined that the following products are affected:

  • TIBCO Enterprise Message Service™ (EMS) - all versions on Linux
  • TIBCO Rendezvous® (RV) - all versions on Linux
  • TIBCO FTL® (FTL) - all versions on Linux
  • TIBCO ActiveSpaces® - all versions on Linux
  • TIBCO iProcess™ - all versions on Linux
  • TIBCO LogLogic® Log Management Intelligence  (all versions) on Linux
  • TIBCO LogLogic® Enterprise Virtual Appliance (all versions) on Linux
  • TIBCO LogLogic® Security Event Manager (all versions) on Linux
  • TIBCO LogLogic® Security Event Manager Enterprise Virtual Appliance (all versions) on Linux

Notes

Please check for Late Breaking News on TIBCO Support Central.

TIBCO Software Inc. products DO NOT statically link the glibc library, so the recourse for remediation is to upgrade the OS with the new dynamic libraries using the "package manager" for your distribution; this is the responsibility of the Licensee, not TIBCO Software Inc.

LogLogic will be providing a Hot Fix for updating the 'glibc' package.  Please check for LBNs on availability.

Corporate and Services:  all public-facing systems have been reviewed and patched as necessary.