TIBCO Security Advisory: January 15, 2008 - TIBCO SmartSockets® Product Family Modules

Frequently Asked Questions

General FAQ

Why are these advisories being issued?

Security vulnerabilities have been discovered in TIBCO SmartSockets® 5.x and 6.x and TIBCO SmartSockets® Product Family Modules (formerly RTworks) 4.x. The SmartSockets® client libraries are dynamically linked in add-on products such as TIBCO SmartSockets® Cache, TIBCO SmartMQ™ and TIBCO SmartSockets® RTie, and are statically linked in the server component of TIBCO Enterprise Message Service™ 4.0.0 through 4.4.1.

Which customers are affected?

These issues affect customers who own and use SmartSockets® or SmartSockets® Product Family Modules (RTworks), either standalone or in conjunction with Enterprise Message Service™. These issues also affect customers who use add-on products such as SmartSockets® Cache, SmartMQ™ and SmartSockets® RTie.

The vulnerabilities potentially affect customers running any version of SmartSockets 5.x or 6.x, or SmartSockets Product Family Modules (RTworks) 4.x. Enterprise Message Service 4.0.0 through 4.4.1 (installed standalone or as part of an ActiveMatrix bundle) may be impacted when used in conjunction with SmartSockets; Enterprise Message Service installations are only affected if the customer also owns TIBCO SmartSockets and has enabled the Enterprise Message Service server's SmartSockets support.

What components are affected?

The server component (RTserver) and C client libraries of both SmartSockets and SmartSockets Product Family Modules (RTworks) are affected.

Add-on products such as SmartSockets Cache, SmartMQ and SmartSockets RTie are impacted through their linking of the SmartSockets client libraries. A complete list of affected SmartSockets and SmartSockets Product Family Modules (RTworks) add-on products can be found in the FAQ below.

The server component (tibemsd) of Enterprise Message Service is affected in installations where SmartSockets support has been enabled.

What is the effect of the vulnerability?

The vulnerability could allow an attacker to execute arbitrary code on an affected system. For details, please see the product advisories accessible from http:/services/support/advisories.

How should customers handle this issue?

Affected customers should upgrade to the latest version of TIBCO SmartSockets (6.8.1), TIBCO SmartSockets Product Family Modules. formerly RTworks (4.0.4), and Enterprise Message Service (4.4.2). SmartSockets and Enterprise Message Service are available to customers with current maintenance for the products from http://download.tibco.com. Updated ActiveMatrix bundles (that include an updated Enterprise Message Service product) are also available through the same channel. Copies of the latest version of SmartSockets Product Family Modules (RTworks) have been delivered on CD via overnight delivery to customers with current SmartSockets Product Family Modules (RTworks) maintenance.

Can I get the software update if I am not current on maintenance? What if I don't have access to the download site or to TIBCO Support?

Please contact TIBCO Support by telephone. Please reference SR_ID:1-8QTOKP in your communication to indicate the context of your request.

Do I need to upgrade all SmartSockets or SmartSockets Product Family Modules (RTworks) components?

TIBCO strongly recommends that customers upgrade all RTserver components and SmartSockets C client libraries. The RTserver and C client libraries are delivered in SmartSockets 5.x and 6.x and SmartSockets Product Family Modules (RTworks) 4.x.

The SmartSockets Java and C# client libraries are not affected.

Do I need to recompile and/or re-link my applications that use the SmartSockets C client libraries?

Customer applications using the C client libraries are open to two attack vectors. Use of the standard SmartSockets messaging API exposes client applications to an attack via data injection. Use of the TipcConnAccept API entry point exposes applications to a direct TCP attack.

A data injection attack requires that an attacker be able to insert data in the TCP communication channel between the SmartSockets Server and a client application, altering the client-server wire protocol. Customers should evaluate their network control and access policies to determine the exposure to a data injection attack.

Customer applications using the TipcConnAccept API entry point (which allows a SmartSockets client to accept connections from another application, much as the RTserver does) are directly exposed to rogue client connections exploiting the client-to-client TCP connection. The exposure to this defect can be mitigated with a firewall that limits the peer hosts allowed to initiate a connection to the TipcConnAccept application.

Customers whose risk analysis weighs to updating their C client libraries should follow these directions:

  • SmartSockets 6.x
    • Applications dynamically linked with the SmartSockets 6.x C client libraries should be restarted after the new client libraries have been installed.
    • Applications statically linked with the SmartSockets 6.x C client libraries should be re-linked and restarted.
  • SmartSockets 5.x
    • Applications dynamically linked with the SmartSockets 5.x C client libraries should be recompiled, and restarted after the new client libraries have been installed.
    • Applications statically linked with the SmartSockets 5.x C client libraries should be recompiled, re-linked and restarted.
  • SmartSockets Product Family Modules (RTworks) 4.x
    • Applications dynamically linked with the SmartSockets C client libraries provided in SmartSockets Product Family Modules (RTworks) 4.x should be restarted after the new client libraries have been installed.
    • Applications statically linked with the SmartSockets C client libraries provided in SmartSockets Product Family Modules (RTworks) 4.x should be re-linked and restarted.

Does the TipcConnAccept API entry point present any special problems?

Yes. As discussed above, use of TipcConnAccept exposes applications to direct TCP attack. Note that this call is not used as part of general SmartSockets messaging, and is thus less likely to be part of customer applications. As described above, the exposure to direct TCP attack against this API can be mitigated with a firewall.

Which SmartSockets add-on products are potentially affected?

TIBCO SmartSockets® Cache, TIBCO SmartSockets® Gateway, TIBCO SmartSockets® LiveWeb, and TIBCO SmartMQ™.

Do I need to upgrade the add-on products SmartSockets® Cache, SmartSockets® Gateway and SmartSockets® LiveWeb? How about SmartMQ™?

These products do not need to be upgraded, however the server processes (scache, rtgateway, rtweb, mqserver) need to be restarted after installing the new SmartSockets client libraries. Restarting will cause the server processes to dynamically load the new client libraries.

Do I need to upgrade the SmartSockets-to-RV bridge?

The bridge does not need to be upgraded, but the server process (rtgateway) needs to be restarted after installing the new SmartSockets client libraries. Restarting will cause the server process to dynamically load the new client libraries.

Which SmartSockets Product Family Modules (RTworks) add-on products are potentially affected?

TIBCO SmartSockets® RTarchive, TIBCO SmartSockets® RTplayback, TIBCO SmartSockets® RTdaq, TIBCO SmartSockets® RThci, and TIBCO SmartSockets® RTie.

Do I need to upgrade the add-on products SmartSockets® RTarchive, SmartSockets® RTplayback, SmartSockets® RTdaq, SmartSockets® RThci, and SmartSockets® RThci?

These products to not need to be upgraded, but the server processes (rtarchive, rtplayback, rtdaq, rthci, rtie) need to be restarted after installing the new SmartSockets client libraries. Restarting will cause the server processes to dynamically load the new client libraries.

What if I cannot upgrade SmartSockets or SmartSockets Product Family Modules (RTworks) at this time?

If you are not able to upgrade the SmartSockets or SmartSockets Product Family Modules (RTworks) at this time, you can limit your exposure to data injection attacks by securing TCP access to SmartSockets servers and clients. Applications using the TipcConnAccept API entry point can mitigate the risk of a rogue application exploiting the defect by limiting TCP access to the TipcConnAccept. This restriction can be implemented with a firewall configuration that allows only specific remote IP addresses to initiate a connection to the TipcConnAccept application, and physical security for the specified remote hosts.

What is the difference between RTworks, SmartSockets Product Family Modules, and SmartSockets?

The original RTworks product set was rebranded SmartSockets Product Family Modules as of version 4.0.0 in May 2001. RTworks and SmartSockets Product Family Modules are the same product line, but with a name change at version 4.0.0.

SmartSockets is a follow-on product line that was developed from the messaging component of the original RTworks product set.

Do I need to upgrade all Enterprise Message Service components?

Only the Enterprise Message Service server component (tibemsd) is affected; Enterprise Message Service client libraries are not affected. Only Enterprise Message Service servers that enable the internal SmartSockets support are at risk.

TIBCO strongly recommends that customers upgrade all Enterprise Message Service servers with versions between 4.0.0 and 4.4.1 in which the internal SmartSockets support is enabled. Enterprise Message Service servers prior to version 4.0.0 did not contain the SmartSockets support currently at issue.

Do I need to recompile and/or re-link applications that use the Enterprise Message Service client libraries?

No.

What if I cannot upgrade my Enterprise Message Service servers at this time?

The defect can be mitigated completely by disabling SmartSockets support in the Enterprise Message Service server. This is an administrative setting that can be updated without replacing the server by setting "tibss_transports" to "disabled" in the Enterprise Message Service server configuration file (tibemsd.conf).

Why can't I find a new Enterprise Message Service 4.4.2 release for OpenVMS, OS/400 or z/OS?

The OpenVMS, OS/400 and z/OS ports of Enterprise Message Service include only the Enterprise Message Service client library, and not the affected Enterprise Message Service server component. These ports are not impacted and do not need to be upgraded

Do these issues affect TIBCO Rendezvous®?

No.

Do I need to upgrade my TIBCO ActiveMatrix BusinessWorks™, TIBCO ActiveMatrix™ Service Grid, TIBCO ActiveMatrix™ Service Core or TIBCO ActiveMatrix™ Service Bus installation?

Each of these products installs a bundled version of TIBCO Enterprise Message Service. By default, the Enterprise Message Service server is configured with its SmartSockets support disabled; this completely mitigates the security issue. If you have proactively enabled SmartSockets within the Enterprise Message Service server, you can either disable this function (if you do not need Enterprise Message Service bridging to SmartSockets), or upgrade your Enterprise Message Service installation to the newly available version.

What other products are affected?

No other TIBCO products are affected.

How will customers who receive TIBCO software via OEM partners be affected?

Customers of OEM partners can receive new versions of TIBCO SmartSockets, SmartSockets Product Family Modules (RTworks) and Enterprise Message Service from their OEM partners. ActiveMatrix™ bundles have been updated to include the revised version of Enterprise Message Service. Please contact your OEM partner to upgrade.

What is TIBCO doing to prevent future security issues?

TIBCO takes security very seriously. We perform rigorous testing for every product release, as well as code audits, structured walkthroughs and peer reviews. TIBCO has identified security vulnerabilities in products during internal testing and reviews and corrected them prior to release. TIBCO constantly evaluates and augments its security measures and will continue to do so.

Where can I get more information?

The original product advisories can be accessed from http:/services/support/advisories

If you have a current maintenance contract with TIBCO, you can log a service request with TIBCO Global Support (please refer to SR_ID:1-8QTOKP) and then call your support telephone number. You can view product-specific Late Breaking News for SmartSockets (LBN1-8QTOJZ), SmartSockets Product Family Modules (RTworks) (LBN1-8QTOK9), and Enterprise Message Service (LBN1-8QTOKH) through the TIBCO Support Web .

---------------------