TIBCO Spotfire Server Script Trust Problem Exposes Remote Code Execution
Vulnerability

  Original release date: March 11, 2020
  Last revised: ---
  Source: TIBCO Software Inc.


Systems Affected

  TIBCO Spotfire Analytics Platform for AWS Marketplace versions 10.8.0 and
    below

  TIBCO Spotfire Server versions 7.11.9 and below
  TIBCO Spotfire Server versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1,
    10.1.0, 10.2.0, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, and 10.3.6
  TIBCO Spotfire Server versions 10.4.0, 10.5.0, 10.6.0, 10.6.1, 10.7.0, and
    10.8.0

  The following component is affected:

    * Spotfire library


Description

  The component listed above contains a vulnerability that theoretically allows
  an attacker with write permissions to the Spotfire Library, but not "Script
  Author" group permission, to modify attributes of files and objects saved to
  the library such that the system treats them as trusted. This could allow an
  attacker to cause the Spotfire Web Player, Analyst clients, and TERR Service
  into executing arbitrary code with the privileges of the system account that
  started those processes.


Impact

  The impact of this vulnerability includes the theoretical possibility that an
  attacker could execute arbitrary code with the privileges of the system
  account that started the Spotfire Web Player, Analyst clients, or TERR
  Service.

  CVSS v3 Base Score: 9.9 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)


Solution

  TIBCO has released updated versions of the affected systems which address this
  issue:

  TIBCO Spotfire Analytics Platform for AWS Marketplace versions 10.8.0 and
    below update to version 10.8.1 or higher

  TIBCO Spotfire Server versions 7.11.9 and below update to version 7.11.10 or
    higher
  TIBCO Spotfire Server versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1,
    10.1.0, 10.2.0, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, and 10.3.6
    update to version 10.3.7 or higher
  TIBCO Spotfire Server versions 10.4.0, 10.5.0, 10.6.0, 10.6.1, 10.7.0, and
    10.8.0 update to version 10.8.1 or higher


References

  http://www.tibco.com/services/support/advisories
  CVE-2020-9408