TIBCO Rendezvous vulnerability

   Original release date: August 25, 2015
   Last revised: --
   Source: TIBCO Software Inc.


Systems Affected

   TIBCO Rendezvous 8.4.3 and below (all distributions)
   TIBCO Rendezvous Network Server 1.1.0 and below
   TIBCO Substation ES 2.8.1 and below
   TIBCO Messaging Appliance 8.7.1 and below

   The following components are affected:

     * TIBCO Rendezvous Daemon (rvd)
     * TIBCO Rendezvous Routing Daemon (rvrd)
     * TIBCO Rendezvous Secure Daemon (rvsd)
     * TIBCO Rendezvous Secure Routing Daemon (rvsrd)
     * TIBCO Rendezvous Gateway Daemon (rvgd)
     * TIBCO Rendezvous Daemon Adapter (rvda)
     * TIBCO Rendezvous Cache (rvcache)
     * TIBCO Rendezvous Agent (rva)
     * TIBCO Rendezvous Relay Agent (rvrad)
 

Description

   The TIBCO Rendezvous daemon components listed above contain a buffer
   overflow vulnerability in the HTTP administrative interface.


Impact

   The impact of this vulnerability includes denial of service and the
   theoretical possibility of remote execution of arbitrary code. 

   CVSS v2 Base Score: 4.3 (AV:A/AC:H/Au:N/C:P/I:P/A:P)


Solution

   TIBCO has released updated versions of the affected components which
   address these issues. TIBCO strongly recommends sites running the affected
   components to install the applicable update as described below.

   For each affected system, update to the corresponding software versions:

   TIBCO Rendezvous 8.4.4 or higher
   TIBCO Rendezvous Network Server 1.1.1 or higher
   TIBCO Substation ES 2.9.0 or higher
   TIBCO Messaging Appliance 8.7.2 or higher


References

   http://www.tibco.com/mk/advisory.jsp
   CVE: CVE-2015-4555