TIBCO Data Virtualization Command Injection Vulnerability

  Original release date: June 20, 2018
  Last revised: --
  Source: TIBCO Software Inc.


Systems Affected

  TIBCO Data Virtualization (formerly Cisco Information Server)
    versions 7.0.5 and 7.0.6

  The following components are affected:

    * Version control adapters


Description

  The component listed above contains vulnerabilities that may allow for
  arbitrary command execution.


Impact

  The impact of this vulnerability includes the theoretical ability to execute
  arbitrary code with the privileges of the user account of the Data
  Virtualization server.

  CVSS v3 Base Score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


Solution

  TIBCO has released updated versions of the affected components which address
  these issues.

  For each affected system, update to the corresponding software versions:

  TIBCO Data Virtualization versions 7.0.5 and 7.0.6 update to
    version 7.0.7 or higher.

References

  http://www.tibco.com/services/support/advisories
  CVE: CVE-2018-5428