TIBCO FTL Secret Exposure Vulnerability

  Original release date: January 11, 2022
  Last revised: ---
  Source: TIBCO Software Inc.


Products Affected

  TIBCO FTL - Community Edition versions 6.7.2 and below

  TIBCO FTL - Developer Edition versions 6.7.2 and below

  TIBCO FTL - Enterprise Edition versions 6.7.2 and below

  The following component is affected:

    * Realm Server


Description

  The component listed above contains a difficult to exploit vulnerability that
  allows an unauthenticated attacker with network access to obtain the cluster
  secret of another application connected to the realm server.


Impact

  Successful execution of this vulnerability can result in an attacker gaining
  full access to communication on an existing eFTL channel on the affected
  system.

  CVSS v3 Base Score: 8.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N)


Solution

  TIBCO has released updated versions of the affected systems which address this
  issue:

  TIBCO FTL - Community Edition versions 6.7.2 and below update to version
    6.7.3 or later

  TIBCO FTL - Developer Edition versions 6.7.2 and below update to version
    6.7.3 or later

  TIBCO FTL - Enterprise Edition versions 6.7.2 and below update to version
    6.7.3 or later


References

  https://www.tibco.com/services/support/advisories
  CVE-2021-43053