TIBCO Spotfire Server vulnerabilities

   Original release date: October 27, 2015
   Last revised: --
   Source: TIBCO Software Inc.


Systems Affected

   TIBCO Spotfire Server 5.5.3 and below
   TIBCO Spotfire Server 6.0.X version 6.0.4 and below
   TIBCO Spotfire Server 6.5.X version 6.5.3 and below
   TIBCO Spotfire Server 7.0.0
   TIBCO Spotfire Analytics Platform for AWS Marketplace 7.0.1 and below

   The following components are affected:

     * TIBCO Spotfire Parsing Library
     * TIBCO Spotfire Security Filter


Description

   The TIBCO Spotfire components listed above contain critical
   vulnerabilities in the handling of HTTP requests which may result
   in information disclosure.

   CVE-2015-5712 - An authenticated URL may be manipulated to disclose
   system information.

   CVE-2015-5713 - An unauthenticated URL may be manipulated to disclose
   logging information.

   TIBCO has released updated versions of the affected software products
   which address these issues.  TIBCO strongly recommends sites running the 
   affected components install the applicable update as described below.


Impact

   The impact of this vulnerability is information disclosure.
    
   CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)


Solution

   For each affected system, update to the corresponding software versions:
 
   TIBCO Spotfire Server 5.5.X version 5.5.4 or higher 
   TIBCO Spotfire Server 6.0.X version 6.0.5 or higher
   TIBCO Spotfire Server 6.5.X version 6.5.4 or higher
   TIBCO Spotfire Server 7.0.1 or higher
   TIBCO Spotfire Analytics Platform for AWS Marketplace version 7.0.2 or higher
   

References

   http://www.tibco.com/mk/advisory.jsp
   CVE: CVE-2015-5712, CVE-2015-5713