Security vulnerabilities have been discovered in versions of TIBCO Rendezvous® 7.5.0 and earlier.
The vulnerability potentially affects any customer running Rendezvous® 7.5.0 or earlier. This includes customers who have installed Rendezvous directly, as well as those who have installed it as part of TIBCO Hawk® or TIBCO Runtime Agent™.
The following Rendezvous daemons are affected: RVSD, RVRD, RVSRD, RVCACHE and RVA.
The vulnerability could allow an attacker to execute arbitrary code on an affected system.
Affected customers with current maintenance agreements should upgrade to the latest version of Rendezvous (v7.5.1 or later), available from your TIBCO download site.
TIBCO strongly recommends that all instances of these daemons be replaced.
If you are not able to upgrade the Rendezvous daemons at this time, actions can be taken to mitigate the vulnerability. For details on these actions, please see the Rendezvous Security Advisory.
No, Enterprise Messaging Service™ is not affected.
TIBCO Hawk and TIBCO Runtime Agent each bundles Rendezvous as part of the install process. When purchasing Hawk® or a TIBCO product that includes Runtime Agent® (e.g., TIBCO BusinessWorks™), customers typically only utilize the unaffected RVD within these packages. Customers who have purchased additional Rendezvous licenses that provide access to the affected daemons should upgrade their Rendezvous installation.
You do not need to upgrade Runtime Agent. An updated version of Rendezvous may be layered on an existing deployment without installing a new version of Runtime Agent. If Hawk is installed, stand-alone or as part of Runtime Agent, you should install a new version of Hawk.
The vulnerability can be mitigated without a software upgrade by taking the remedial configuration actions detailed.
Customers of OEM partners can receive new versions of TIBCO Hawk from their OEM partner. Please contact your OEM partner to upgrade.
TIBCO takes security very seriously. We perform rigorous testing for every product release, as well as code audits, structured walkthroughs and peer reviews. TIBCO has identified security vulnerabilities in products during internal testing and reviews and corrected them prior to release. TIBCO constantly evaluates and augments its security measures and will continue to do so.
If you have a current maintenance contract with TIBCO, you can log a service request with TIBCO Global Support and then call your support telephone number.