TIBCO Administrator components listed above will fail to properly enforce administrator privileges in some circumstance. This may allow unprivileged users to execute arbitrary commands with administrator privileges.
TIBCO has released an update which addresses this issue. TIBCO strongly recommends sites running the affected components to install the update and take corrective action as described below.
The following components are affected:
An attacker can execute arbitrary code on any system that is a participant in a TIBCO domain that utilizes JMS as the communication transport.
Upgrade TIBCO Administrator to version 5.6.1 or above.
Security vulnerabilities have been discovered in:
The vulnerability could allow an attacker to use any valid TIBCO domain credential to access the TIBCO domain administrator credential, the database user ID and password utilized by TIBCO Administrator, and the optional LDAP user ID and password utilized by TIBCO Administrator. With the administrator credential, an attacker can then execute arbitrary code on any system that is a participant in the TIBCO domain. For details, please see the product advisory accessible from http:/services/support/advisories
These issues may affect customers who utilize TIBCO Administrator with a JMS transport provided by TIBCO Enterprise Message Service™ as their domain transport. Customers who utilize TIBCO Rendezvous™ for their TIBCO domain transport are not impacted. The specific impact, solution and mitigation possibilities are detailed in the TIBCO Administrator FAQ below.
Customers with current maintenance can obtain product updates at http://download.tibco.com.
Customers of OEM partners can receive new versions and bundles from their OEM partners. Please contact your OEM partner for updates.
Please contact TIBCO Support by telephone. Please reference SR_ID:1-AKTZG3in your communication to indicate the context of your request.
TIBCO takes security very seriously. We perform rigorous testing for every product release, as well as code audits, structured walkthroughs and peer reviews. TIBCO has identified security vulnerabilities in products during internal testing and reviews and corrected them prior to release. TIBCO constantly evaluates and augments its security measures and will continue to do so.
Product advisories can be accessed from http:/services/support/advisories.
Customers with a current maintenance contract with TIBCO can log a service request with TIBCO Global Support (please refer to SR_ID:1-AKTZG3) and then call your support telephone number. Maintenance customers can also view product-specific Late Breaking News (LBN1-AKTZHV) through the TIBCO Support Web.
All versions from 5.4.0 through 5.6.0, inclusive. As noted above, these issues only impact customers using a JMS transport provided by TIBCO Enterprise Message Service as their domain transport. TIBCO Enterprise Message Service was introduced as a domain transport in version 5.4.0 of TIBCO Administrator.
The TIBCO Administrator server jar file, TIBRepoServer5.jar, is affected. This jar is invoked by wrapper executables; on Windows the wrapper is tibcoadmin_domain-name.exe, and on Unix the wrapper is tibcoadmin_domain-name, where domain-name is the name of the administration domain created with Domain Utility.
TIBCO Administrator 5.6.1 installs a new version of the Administrator server jar file, TIBRepoServer5.jar.
Affected customers should update to the latest version of TIBCO Administrator (5.6.1), available at http://download.tibco.com to customers with current maintenance for the product.
Customers who believe their administrator credentials may already have been compromised should, after upgrading TIBCO Administrator, consider changing their TIBCO Administrator administrator password, the database user ID and password utilized by TIBCO Administrator, and the optional LDAP user ID and password utilized by TIBCO Administrator.
Customers not able to update TIBCO Administrator at this time may consider stopping the TIBCO Administrator server. Stopping the TIBCO Administrator server will prevent it from compromising the domain administrator’s credentials, but will also preclude administration of the domain. Users will be prevented from signing into the TIBCO domain until the server is upgraded and restarted.
Customers who believe their administrator credentials may already have been compromised should, before stopping TIBCO Administrator, consider changing their TIBCO Administrator administrator password, the database user ID and password utilized by TIBCO Administrator, and the optional LDAP user ID and password utilized by TIBCO Administrator.
Products that include TIBCO Administrator with their download include: