TIBCO LogLogic Log Management Intelligence Multiple Cross-Site Scripting (XSS)
and Cross-Site Request Forgery (CSRF) Vulnerabilities

  Original release date: August 13, 2019
  Last revised: ---
  Source: TIBCO Software Inc.


Systems Affected

  TIBCO LogLogic Enterprise Virtual Appliance versions 6.2.1 and below

  TIBCO LogLogic Log Management Intelligence versions 6.2.1 and below

  Appliances TIBCO LogLogic LX825 Appliance 0.0.004,
  TIBCO LogLogic LX1025 Appliance 0.0.004,
  TIBCO LogLogic LX4025 Appliance 0.0.004,
  TIBCO LogLogic MX3025 Appliance 0.0.004,
  TIBCO LogLogic MX4025 Appliance 0.0.004,
  TIBCO LogLogic ST1025 Appliance 0.0.004,
  TIBCO LogLogic ST2025-SAN Appliance 0.0.004, and
  TIBCO LogLogic ST4025 Appliance 0.0.004
    using TIBCO LogLogic Log Management Intelligence versions 6.2.1 and below

  Appliances TIBCO LogLogic LX1035 Appliance 0.0.005,
  TIBCO LogLogic LX1025R1 Appliance 0.0.004,
  TIBCO LogLogic LX1025R2 Appliance 0.0.004,
  TIBCO LogLogic LX4025R1 Appliance 0.0.004,
  TIBCO LogLogic LX4025R2 Appliance 0.0.004,
  TIBCO LogLogic LX4035 Appliance 0.0.005,
  TIBCO LogLogic ST2025-SANR1 Appliance 0.0.004,
  TIBCO LogLogic ST2025-SANR2 Appliance 0.0.004,
  TIBCO LogLogic ST2035-SAN Appliance 0.0.005,
  TIBCO LogLogic ST4025R1 Appliance 0.0.004,
  TIBCO LogLogic ST4025R2 Appliance 0.0.004, and
  TIBCO LogLogic ST4035 Appliance 0.0.005
    using TIBCO LogLogic Log Management Intelligence versions 6.2.1 and below

  The following component is affected:

    * web server


Description

  The component listed above contains multiple vulnerabilities that
  theoretically allow persistent and reflected cross-site scripting (XSS)
  attacks, as well as cross-site request forgery (CSRF) attacks.


Impact

  The impact of this vulnerability includes the theoretical possibility that an
  unauthenticated attacker could perform administrative functions provided by
  the web interface of the affected component.

  CVSS v3 Base Score: 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H


Solution

  TIBCO has released updated versions of the affected systems which address
  these issues

  TIBCO LogLogic Enterprise Virtual Appliance versions 6.2.1 and below update
    to version 6.3.0 or higher

  TIBCO LogLogic Log Management Intelligence versions 6.2.1 and below update
    to version 6.3.0 or higher

  Appliances TIBCO LogLogic LX825 Appliance 0.0.004,
  TIBCO LogLogic LX1025 Appliance 0.0.004,
  TIBCO LogLogic LX4025 Appliance 0.0.004,
  TIBCO LogLogic MX3025 Appliance 0.0.004,
  TIBCO LogLogic MX4025 Appliance 0.0.004,
  TIBCO LogLogic ST1025 Appliance 0.0.004,
  TIBCO LogLogic ST2025-SAN Appliance 0.0.004, and
  TIBCO LogLogic ST4025 Appliance 0.0.004 using
    TIBCO LogLogic Log Management Intelligence versions 6.2.1 and below update
    to 6.2.1_02 or higher compatible version (below 6.3.0)

  Appliances TIBCO LogLogic LX1035 Appliance 0.0.005,
  TIBCO LogLogic LX1025R1 Appliance 0.0.004,
  TIBCO LogLogic LX1025R2 Appliance 0.0.004,
  TIBCO LogLogic LX4025R1 Appliance 0.0.004,
  TIBCO LogLogic LX4025R2 Appliance 0.0.004,
  TIBCO LogLogic LX4035 Appliance 0.0.005,
  TIBCO LogLogic ST2025-SANR1 Appliance 0.0.004,
  TIBCO LogLogic ST2025-SANR2 Appliance 0.0.004,
  TIBCO LogLogic ST2035-SAN Appliance 0.0.005,
  TIBCO LogLogic ST4025R1 Appliance 0.0.004,
  TIBCO LogLogic ST4025R2 Appliance 0.0.004, and
  TIBCO LogLogic ST4035 Appliance 0.0.005
    using TIBCO LogLogic Log Management Intelligence versions 6.2.1 and below
    update to 6.3.0 or higher

References

  http://www.tibco.com/services/support/advisories
  CVE-2019-11207