Public Notice

Meltdown and Spectre Vulnerability Update

12 January 2018

The TIBCO continues to work on investigating and identifying mitigations for the Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) vulnerabilities. The table below contains the current status of these efforts organized by TIBCO delivery and deployment options.

TIBCO Offering Mitigation status

Customer deployed TIBCO software
TIBCO software does not provide a vector to exploit these vulnerabilities.

Other software running on the same operating system as TIBCO software could potentially be vulnerable and gain access to information held by processes running TIBCO software.

No patches to TIBCO software are required to address these vulnerabilities. TIBCO recommends that customers consult with their operating systems (OS) vendors for patching recommendations and guidance on the impact on performance.

Links to commonly used OS vendor guidance can be found at the bottom of the first update.

Virtual machine images provided by TIBCO

TIBCO is working on updates to the virtual images it provides. TIBCO will update customers by January 31, 2018 with the release date for images that address these vulnerabilities.

Hardware appliances - resolved

The following TIBCO appliances are not vulnerable and do not require any action by the customer.

  • TIBCO Enterprise Message Service™ Appliance
  • TIBCO Messaging Appliance™

Hardware appliances - pending

TIBCO is working on remediations for the following appliances. TIBCO will update customers by January 31, 2018 with the release date for appliance remediations that address these vulnerabilities.

  • TIBCO FTL® Message Switch
  • TIBCO LogLogic® Log Management Intelligence (LMI)

TIBCO-hosted services

TIBCO is updating its hosted services to address these vulnerabilities and will have completed updates to all hosted services, with the exception of TIBCO Reward, by January 29, 2018.

An update on TIBCO Reward hosted services will be provided by January 31, 2018.

Web-browser clients of TIBCO software
Via a related attack, security researchers have demonstrated leaking information within the browser process via Javascript. TIBCO follows industry best-practices to ensure that our software does not run arbitrary Javascript and therefore cannot be used to attack other sites. Unfortunately, an attack from another website could theoretically obtain information from any websites opened in the browser, including web sites from TIBCO's software.

TIBCO recommends customers update their web browsers. Links to specific browser vendor guidance can be found at the bottom of the first update.

Some browsers can also be configured with site isolation. Consult your browser documentation for more details.