TIBCO API Exchange Gateway Clickjack Vulnerability

  Original release date: March 23, 2021
  Last revised: ---
  Source: TIBCO Software Inc.


Products Affected

  TIBCO API Exchange Gateway versions 2.3.3 and below

  TIBCO API Exchange Gateway Distribution for TIBCO Silver Fabric versions
    2.3.3 and below

  The following component is affected:

    * Config UI


Description

  The component listed above contains a vulnerability that theoretically allows
  an unauthenticated attacker with network access to execute a clickjacking
  attack on the affected system. A successful attack using this vulnerability
  does not require human interaction from a person other than the attacker.


Impact

  The impact of this vulnerability includes the theoretical possibility that an
  attacker gains full administrative access to the affected system.

  CVSS v3 Base Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


Solution

  TIBCO has released updated versions of the affected systems which address this
  issue:

  TIBCO API Exchange Gateway versions 2.3.3 and below update to version 2.4.0
    or higher

  TIBCO API Exchange Gateway Distribution for TIBCO Silver Fabric versions
    2.3.3 and below update to version 2.4.0 or higher


References

  http://www.tibco.com/services/support/advisories
  CVE-2021-23274