Security vulnerabilities have been discovered in TIBCO SmartSockets® 5.x and 6.x and TIBCO SmartSockets® Product Family Modules (formerly RTworks) 4.x. The SmartSockets® client libraries are dynamically linked in add-on products such as TIBCO SmartSockets® Cache, TIBCO SmartMQ™ and TIBCO SmartSockets® RTie, and are statically linked in the server component of TIBCO Enterprise Message Service™ 4.0.0 through 4.4.1.
These issues affect customers who own and use SmartSockets® or SmartSockets® Product Family Modules (RTworks), either standalone or in conjunction with Enterprise Message Service™. These issues also affect customers who use add-on products such as SmartSockets® Cache, SmartMQ™ and SmartSockets® RTie.
The vulnerabilities potentially affect customers running any version of SmartSockets 5.x or 6.x, or SmartSockets Product Family Modules (RTworks) 4.x. Enterprise Message Service 4.0.0 through 4.4.1 (installed standalone or as part of an ActiveMatrix bundle) may be impacted when used in conjunction with SmartSockets; Enterprise Message Service installations are only affected if the customer also owns TIBCO SmartSockets and has enabled the Enterprise Message Service server's SmartSockets support.
The server component (RTserver) and C client libraries of both SmartSockets and SmartSockets Product Family Modules (RTworks) are affected.
Add-on products such as SmartSockets Cache, SmartMQ and SmartSockets RTie are impacted through their linking of the SmartSockets client libraries. A complete list of affected SmartSockets and SmartSockets Product Family Modules (RTworks) add-on products can be found in the FAQ below.
The server component (tibemsd) of Enterprise Message Service is affected in installations where SmartSockets support has been enabled.
The vulnerability could allow an attacker to execute arbitrary code on an affected system. For details, please see the product advisories accessible from http:/services/support/advisories.
Affected customers should upgrade to the latest version of TIBCO SmartSockets (6.8.1), TIBCO SmartSockets Product Family Modules. formerly RTworks (4.0.4), and Enterprise Message Service (4.4.2). SmartSockets and Enterprise Message Service are available to customers with current maintenance for the products from http://download.tibco.com. Updated ActiveMatrix bundles (that include an updated Enterprise Message Service product) are also available through the same channel. Copies of the latest version of SmartSockets Product Family Modules (RTworks) have been delivered on CD via overnight delivery to customers with current SmartSockets Product Family Modules (RTworks) maintenance.
Please contact TIBCO Support by telephone. Please reference SR_ID:1-8QTOKP in your communication to indicate the context of your request.
TIBCO strongly recommends that customers upgrade all RTserver components and SmartSockets C client libraries. The RTserver and C client libraries are delivered in SmartSockets 5.x and 6.x and SmartSockets Product Family Modules (RTworks) 4.x.
The SmartSockets Java and C# client libraries are not affected.
Customer applications using the C client libraries are open to two attack vectors. Use of the standard SmartSockets messaging API exposes client applications to an attack via data injection. Use of the TipcConnAccept API entry point exposes applications to a direct TCP attack.
A data injection attack requires that an attacker be able to insert data in the TCP communication channel between the SmartSockets Server and a client application, altering the client-server wire protocol. Customers should evaluate their network control and access policies to determine the exposure to a data injection attack.
Customer applications using the TipcConnAccept API entry point (which allows a SmartSockets client to accept connections from another application, much as the RTserver does) are directly exposed to rogue client connections exploiting the client-to-client TCP connection. The exposure to this defect can be mitigated with a firewall that limits the peer hosts allowed to initiate a connection to the TipcConnAccept application.
Customers whose risk analysis weighs to updating their C client libraries should follow these directions:
Yes. As discussed above, use of TipcConnAccept exposes applications to direct TCP attack. Note that this call is not used as part of general SmartSockets messaging, and is thus less likely to be part of customer applications. As described above, the exposure to direct TCP attack against this API can be mitigated with a firewall.
TIBCO SmartSockets® Cache, TIBCO SmartSockets® Gateway, TIBCO SmartSockets® LiveWeb, and TIBCO SmartMQ™.
These products do not need to be upgraded, however the server processes (scache, rtgateway, rtweb, mqserver) need to be restarted after installing the new SmartSockets client libraries. Restarting will cause the server processes to dynamically load the new client libraries.
The bridge does not need to be upgraded, but the server process (rtgateway) needs to be restarted after installing the new SmartSockets client libraries. Restarting will cause the server process to dynamically load the new client libraries.
TIBCO SmartSockets® RTarchive, TIBCO SmartSockets® RTplayback, TIBCO SmartSockets® RTdaq, TIBCO SmartSockets® RThci, and TIBCO SmartSockets® RTie.
These products to not need to be upgraded, but the server processes (rtarchive, rtplayback, rtdaq, rthci, rtie) need to be restarted after installing the new SmartSockets client libraries. Restarting will cause the server processes to dynamically load the new client libraries.
If you are not able to upgrade the SmartSockets or SmartSockets Product Family Modules (RTworks) at this time, you can limit your exposure to data injection attacks by securing TCP access to SmartSockets servers and clients. Applications using the TipcConnAccept API entry point can mitigate the risk of a rogue application exploiting the defect by limiting TCP access to the TipcConnAccept. This restriction can be implemented with a firewall configuration that allows only specific remote IP addresses to initiate a connection to the TipcConnAccept application, and physical security for the specified remote hosts.
The original RTworks product set was rebranded SmartSockets Product Family Modules as of version 4.0.0 in May 2001. RTworks and SmartSockets Product Family Modules are the same product line, but with a name change at version 4.0.0.
SmartSockets is a follow-on product line that was developed from the messaging component of the original RTworks product set.
Only the Enterprise Message Service server component (tibemsd) is affected; Enterprise Message Service client libraries are not affected. Only Enterprise Message Service servers that enable the internal SmartSockets support are at risk.
TIBCO strongly recommends that customers upgrade all Enterprise Message Service servers with versions between 4.0.0 and 4.4.1 in which the internal SmartSockets support is enabled. Enterprise Message Service servers prior to version 4.0.0 did not contain the SmartSockets support currently at issue.
The defect can be mitigated completely by disabling SmartSockets support in the Enterprise Message Service server. This is an administrative setting that can be updated without replacing the server by setting "tibss_transports" to "disabled" in the Enterprise Message Service server configuration file (tibemsd.conf).
The OpenVMS, OS/400 and z/OS ports of Enterprise Message Service include only the Enterprise Message Service client library, and not the affected Enterprise Message Service server component. These ports are not impacted and do not need to be upgraded
Each of these products installs a bundled version of TIBCO Enterprise Message Service. By default, the Enterprise Message Service server is configured with its SmartSockets support disabled; this completely mitigates the security issue. If you have proactively enabled SmartSockets within the Enterprise Message Service server, you can either disable this function (if you do not need Enterprise Message Service bridging to SmartSockets), or upgrade your Enterprise Message Service installation to the newly available version.
No other TIBCO products are affected.
Customers of OEM partners can receive new versions of TIBCO SmartSockets, SmartSockets Product Family Modules (RTworks) and Enterprise Message Service from their OEM partners. ActiveMatrix™ bundles have been updated to include the revised version of Enterprise Message Service. Please contact your OEM partner to upgrade.
TIBCO takes security very seriously. We perform rigorous testing for every product release, as well as code audits, structured walkthroughs and peer reviews. TIBCO has identified security vulnerabilities in products during internal testing and reviews and corrected them prior to release. TIBCO constantly evaluates and augments its security measures and will continue to do so.
The original product advisories can be accessed from http:/services/support/advisories
If you have a current maintenance contract with TIBCO, you can log a service request with TIBCO Global Support (please refer to SR_ID:1-8QTOKP) and then call your support telephone number. You can view product-specific Late Breaking News for SmartSockets (LBN1-8QTOJZ), SmartSockets Product Family Modules (RTworks) (LBN1-8QTOK9), and Enterprise Message Service (LBN1-8QTOKH) through the TIBCO Support Web .