TIBCO Security Advisory: June 5, 2006 - TIBCO Rendezvous®

Why are these advisories being issued?

 Security vulnerabilities have been discovered in versions of TIBCO Rendezvous® 7.5.0 and earlier.

Which customers are affected?

The vulnerability potentially affects any customer running Rendezvous® 7.5.0 or earlier. This includes customers who have installed Rendezvous directly, as well as those who have installed it as part of TIBCO Hawk® or TIBCO Runtime Agent™.

What Rendezvous components are affected?

 The following Rendezvous daemons are affected: RVSD, RVRD, RVSRD, RVCACHE and RVA.

Is RVD affected?

 No.

What is the effect of the vulnerability?

The vulnerability could allow an attacker to execute arbitrary code on an affected system.

How should customers currently on maintenance handle this issue?

Affected customers with current maintenance agreements should upgrade to the latest version of Rendezvous (v7.5.1 or later), available from your TIBCO download site.

Do I need to upgrade all the RVRD/RVSRD/RVSD/RVCACHE/RVA daemons?

TIBCO strongly recommends that all instances of these daemons be replaced.

Do I need to re-link applications that use the RV libraries?

No.

What if I cannot upgrade Rendezvous at this time?

If you are not able to upgrade the Rendezvous daemons at this time, actions can be taken to mitigate the vulnerability. For details on these actions, please see the Rendezvous Security Advisory.

Does this issue affect TIBCO Enterprise Messaging Service™?

No, Enterprise Messaging Service™ is not affected.

What other products are affected?

TIBCO Hawk and TIBCO Runtime Agent each bundles Rendezvous as part of the install process. When purchasing Hawk® or a TIBCO product that includes Runtime Agent® (e.g., TIBCO BusinessWorks™), customers typically only utilize the unaffected RVD within these packages. Customers who have purchased additional Rendezvous licenses that provide access to the affected daemons should upgrade their Rendezvous installation.

Does this mean that I have to upgrade Runtime Agent and Hawk?

You do not need to upgrade Runtime Agent.  An updated version of Rendezvous may be layered on an existing deployment without installing a new version of Runtime Agent.  If Hawk is installed, stand-alone or as part of Runtime Agent, you should install a new version of Hawk.

What if I do not have a current maintenance contract?

The vulnerability can be mitigated without a software upgrade by taking the remedial configuration actions detailed.

How will customers who receive TIBCO software via OEM partners be affected?

Customers of OEM partners can receive new versions of TIBCO Hawk from their OEM partner. Please contact your OEM partner to upgrade.

What is TIBCO doing to prevent future security issues?

TIBCO takes security very seriously. We perform rigorous testing for every product release, as well as code audits, structured walkthroughs and peer reviews. TIBCO has identified security vulnerabilities in products during internal testing and reviews and corrected them prior to release. TIBCO constantly evaluates and augments its security measures and will continue to do so.

Where can I get more information?

If you have a current maintenance contract with TIBCO, you can log a service request with TIBCO Global Support and then call your support telephone number.