TIBCO eFTL Windows Platform Installation vulnerability

  Original release date: March 23, 2021
  Last revised: ---
  Source: TIBCO Software Inc.


Products Affected

  TIBCO eFTL - Community Edition versions 6.5.0 and below

  TIBCO eFTL - Developer Edition versions 6.5.0 and below

  TIBCO eFTL - Enterprise Edition versions 6.5.0 and below

  The following component is affected:

    * Windows Installation


Description

  The component listed above contains a vulnerability that theoretically allows
  a low privileged attacker with local access on some versions of the Windows
  operating system to insert malicious software. The affected component can be
  abused to execute the malicious software inserted by the attacker with the
  elevated privileges of the component. This vulnerability results from a lack
  of access restrictions on certain files and/or folders in the installation.


Impact

  The impact of this vulnerability includes the possibility of an attacker
  gaining full access to the Windows operating system at the privilege level of
  the affected component.

  CVSS v3 Base Score: 8.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)


Solution

  TIBCO has released updated versions of the affected systems which address this
  issue:

  TIBCO eFTL - Community Edition versions 6.5.0 and below update to version
    6.6.0 or higher

  TIBCO eFTL - Developer Edition versions 6.5.0 and below update to version
    6.6.0 or higher

  TIBCO eFTL - Enterprise Edition versions 6.5.0 and below update to version
    6.6.0 or higher


Acknowledgments

  TIBCO would like to extend its appreciation to Will Dormann of CERT/CC for
  discovery of this vulnerability.

References

  http://www.tibco.com/services/support/advisories
  CVE-2021-28823