A security vulnerability has been discovered in TIBCO Hawk® version 4.6.0 and earlier.
The vulnerability potentially affects any customer running Hawk® below version 4.6.1, or TIBCO Runtime Agent™ versions below 5.4.
TIBCO Hawk Microagent (TIBHAWKHMA) is the component affected.
The vulnerability could allow an attacker to execute arbitrary code with system privileges on an affected system.
Affected customers with current maintenance agreements should upgrade to the latest version of Hawk (v4.6.1 or later), available from your TIBCO download site.
TIBCO strongly recommends that all Hawk components be replaced.
If you are not able to upgrade Hawk at this time, steps can be taken to mitigate the vulnerability.
Both Hawk and Runtime Agent™ bundle TIBHAWKHMA as part of the install. No other products are affected.
No, you need to upgrade either Runtime Agent or Hawk. TIBHAWKHMA will be upgraded in either case.
If you update Runtime Agent (version 5.4 or later) and you have Hawk installed, you will have updated Hawk to version 4.6.1 (or later).
If you have Runtime Agent installed and do not have Hawk installed, you could install Hawk (version 4.6.1 or later) into the TIBCO environment and TIBHAWKHMA will be updated at that time.
If you have Hawk installed and do not have Runtime Agent installed, you could install Runtime Agent into the TIBCO environment and TIBHAWKHMA will be updated at that time.
The vulnerability can be mitigated without a software upgrade by taking the remedial steps detailed.
Customers of OEM partners can receive new versions of TIBCO products from their OEM partner. Please contact your OEM partner to upgrade.
TIBCO takes security very seriously. We perform rigorous testing for every product release, as well as code audits, structured walkthroughs and peer reviews. TIBCO has identified security vulnerabilities in products during internal testing and reviews and corrected them prior to release. TIBCO constantly evaluates and augments its security measures and will continue to do so.
If you have a current maintenance contract with TIBCO, you can log a service request with TIBCO Global Support and then call your support telephone number.