TIBCO Security Advisory: April 9, 2008 - TIBCO Enterprise Message Service™

Frequently Asked Questions

TIBCO Security Advisories for Rendezvous and Enterprise Message Service FAQ

Why are these advisories being issued?

Security vulnerabilities have been discovered in:

  • TIBCO Rendezvous®
  • TIBCO Rendezvous® for z/OS
  • TIBCO Rendezvous® Server In-Process Module Add-on
  • TIBCO Enterprise Message Service™

Impacted elements of the above products are included in or bundled with:

  • TIBCO Rendezvous® TX
  • TIBCO Rendezvous® DataSecurity
  • TIBCO Hawk®
  • TIBCO Runtime Agent™
    • Numerous TIBCO products bundle TIBCO Runtime Agent; please see the TIBCO Runtime Agent FAQ (below) for a complete list.
  • TIBCO Adapter™ for Files z/OS (MVS)
  • TIBCO Substation ES™
  • TIBCO iProcess™ Engine
  • TIBCO ActiveMatrix BusinessWorks™
  • TIBCO ActiveMatrix™ Service Grid
  • TIBCO ActiveMatrix™ Service Bus

Details for each product are included in individual FAQ below

What is the effect of the vulnerability?

The vulnerability could allow an attacker to execute arbitrary code, disclose information or deny service on an affected system. For details, please see the product advisories accessible from http://www.tibco.com/services/support/advisories/advisory_all.jsp .

Which customers are affected?

These issues may affect customers who own and use Rendezvous® or Enterprise Message Service™, either standalone, or in conjunction with one of the products listed above. The specific impact, solution and mitigation possibilities are detailed in individual FAQ below.

Where can I get software updates?

Customers with current maintenance can obtain product updates at http://download.tibco.com.

What if I am using TIBCO PortalBuilder®, TIBCO BusinessFactor®, TIBCO BusinessWorks™ Workflow (TIBCO BusinessWorks™ FormBuilder, TIBCO BusinessWorks™ Collaborator) in conjunction with WebLogic Server 8.x?

Please contact TIBCO Support for additional information.

How will customers who receive TIBCO software via OEM partners be affected?

Customers of OEM partners can receive new versions and bundles from their OEM partners. Please contact your OEM partner for updates.

Can I get the software update if I am not current on maintenance? What if I don't have access to the download site or to TIBCO Support?

Please contact TIBCO Support by telephone. Please reference SR_ID:1-8XJCNE in your communication to indicate the context of your request.

What is TIBCO doing to prevent future security issues?

TIBCO takes security very seriously. We perform rigorous testing for every product release, as well as code audits, structured walkthroughs and peer reviews. TIBCO has identified security vulnerabilities in products during internal testing and reviews and corrected them prior to release. TIBCO constantly evaluates and augments its security measures and will continue to do so.

Where can I get more information?

The original product advisories can be accessed from http:/services/support/advisories

Customers with a current maintenance contract with TIBCO can log a service request with TIBCO Global Support (please refer to SR_ID:1-8XJCNE) and then call your support telephone number. Maintenance customers can also view product-specific Late Breaking News (LBN1-8XJGBS) through the TIBCO Support Web .

TIBCO Rendezvous FAQ

Which versions of Rendezvous® are affected?

All versions of Rendezvous and Rendezvous® for z/OS (OS390) prior to 8.1.0 are affected.

Which components are affected?

These components are affected:

  • C client libraries
  • All daemons (rvd, rvsd, rvrd, rvsrd, rva, rvrad, rvcache)
  • Test programs (rvperfm, rvperfs)

The C++, Java and .NET client libraries are affected through their use of the C client libraries. The pure Java tibrjvweb.jar client library is not affected.

How should customers handle this issue?

Affected customers should update to the latest version of Rendezvous (8.1.0), available at http://download.tibco.com to customers with current maintenance for the product.

Do I need to update all Rendezvous components?

 TIBCO strongly recommends that customers update all affected Rendezvous components outlined above.

Do I need to recompile and/or re-link my applications that use the Rendezvous C, Java or .NET client libraries?

Applications do not need to be recompiled, but they must be re-linked with the new client library versions:

  • Applications that are dynamically linked should be restarted after the new client libraries are installed.
  • Applications that are statically linked should be re-linked and restarted.
  • Java Virtual Machines hosting JNI-based Rendezvous client applications should be administered such that the updated Rendezvous C client libraries are reloaded.

Do I need to recompile and/or re-link my applications that use the Rendezvous C++ library?

 C++ applications do not need to be recompiled, but they must be re-linked with the new C client libraries.

What if I cannot update Rendezvous at this time?

Customers not able to update Rendezvous at this time can limit their exposure by securing UDP and TCP access to Rendezvous daemons and TCP access to client applications.

Do I need to update the add-on product SmartSockets Rendezvous Adapter?

No, the adapter does not need to be updated, but the server process (rtgateway) needs to be restarted after installing the new Rendezvous C client library. Restarting will cause the server process to dynamically link the new client library.

Do I need to update InConcert®?

No, InConcert does not need to be updated, but its dependency on Rendezvous indicates that customers should update to the latest version of Rendezvous (8.1.0) and then restart the InConcert server and client applications.

TIBCO Rendezvous Server In-Process Module Add-on FAQ

Which versions of Rendezvous® Server In-Process Module Add-on are affected?

All versions of Rendezvous Server In-Process Module Add-on prior to 8.1.0 are affected.

Which components are affected?

The in-process module add-on library (libtibrvipm and libtibrvipm64) is affected.

How should customers handle this issue?

Affected customers should update to the latest version of Rendezvous Server In-Process Module Add-on (8.1.0), available at http://download.tibco.com to customers with current maintenance for the product.

Do I need to update other Rendezvous components?

Yes, TIBCO strongly recommends that customers update all affected Rendezvous components outlined in the Rendezvous FAQ (above).

Do I need to recompile and/or re-link my applications that use the Rendezvous Server In-Process Module Add-on?

Applications do not need to be recompiled, but they must be re-linked with the new Rendezvous Server In-Process Module library version by restarting the application after the new client library has been installed.

What if I cannot update Rendezvous Server In-Process Module Add-on at this time?

Customers not able to update Rendezvous Server In-Process Module Add-on at this time can limit their exposure by securing UDP access to applications built with the In-Process Module library.

TIBCO Rendezvous TX FAQ

Which versions of Rendezvous® TX are affected?

 All versions of Rendezvous TX prior to 2.0.4 are affected.

Which components are affected?

 The Rendezvous TX daemon (rvtxd) is affected.

How should customers handle this issue?

Affected customers should update to the latest version of Rendezvous TX (2.0.4), available at http://download.tibco.com to customers with current maintenance for the product.

Do I need to update other Rendezvous components?

Yes, TIBCO strongly recommends that customers update all affected Rendezvous components outlined in the Rendezvous FAQ (above).

Do I need to recompile and/or re-link my applications that use the Rendezvous TX?

While the Rendezvous TX client library is not affected, applications must be re-linked (but not recompiled) with the new Rendezvous and Rendezvous TX client library versions:

  • Applications that are dynamically linked should be restarted after the new client libraries are installed.
  • Applications that are statically linked should be re-linked and restarted.
  • Java Virtual Machines hosting JNI-based Rendezvous client applications should be administered such that the updated Rendezvous and Rendezvous TX C client libraries are reloaded.

What if I cannot update Rendezvous TX at this time?

Customers not able to update Rendezvous TX at this time can limit their exposure by securing UDP and TCP access to Rendezvous daemons and TCP access to client applications.

TIBCO Rendezvous DataSecurity FAQ

Which versions of Rendezvous® DataSecurity are affected?

 All versions of Rendezvous DataSecurity prior to 2.1.6 are affected.

Which components are affected?

 The Rendezvous DataSecurity client library (libtibrvds) and daemon (rvacld) are affected.

How should customers handle this issue?

Affected customers should update to the latest version of Rendezvous DataSecurity (2.1.6), available at http://download.tibco.com to customers with current maintenance for the product. The update also uses an updated version of OpenSSL that addresses additional security issues; see www.openssl.org for more details.

Do I need to update other Rendezvous components?

Yes, TIBCO strongly recommends that customers update all affected Rendezvous components outlined in the Rendezvous FAQ (above).

Do I need to recompile and/or re-link my applications that use the Rendezvous DataSecurity?

Applications do not need to be recompiled, but they must be re-linked with the new Rendezvous and Rendezvous DataSecurity client library versions:

  • Applications that are dynamically linked should be restarted after the new client libraries are installed.
  • Applications that are statically linked should be re-linked and restarted.
  • Java Virtual Machines hosting JNI-based Rendezvous client applications should be administered such that the updated Rendezvous and Rendezvous DataSecurity C client libraries are reloaded.

What if I cannot update Rendezvous DataSecurity at this time?

Customers not able to update Rendezvous DataSecurity at this time can limit their exposure by securing UDP and TCP access to Rendezvous daemons and TCP access to client applications.

TIBCO Enterprise Message Service FAQ

Which versions of Enterprise Message Service™ are affected?

 All versions prior to Enterprise Message Service 4.4.3.

Which components are affected?

The Enterprise Message Service server (tibemsd) is the only affected component. The Enterprise Message Service client libraries are not affected. The server has both an intrinsic issue, and an exposure through its static linkage of the RV client library.

How should customers handle this issue?

Affected customers should update to the latest version of Enterprise Message Service (4.4.3), available at http://download.tibco.com to customers with current maintenance for the product.

Do I need to update all Enterprise Message Service components?

TIBCO strongly recommends that customers update all Enterprise Message Service daemons.

Do I need to recompile and/or re-link my applications that use the Enterprise Message Service client libraries?

No, the Enterprise Message Service client libraries are not affected.

Why can't I find a new Enterprise Message Service 4.4.3 release for OpenVMS, i5/OS or z/OS?

The OpenVMS, i5/OS and z/OS ports of Enterprise Message Service are client-only releases, and are not affected by the security issue with the Enterprise Message Service server. These ports are not impacted and do not need to be upgraded.

What if I cannot update Enterprise Message Service at this time?

Customers not able to update Enterprise Message Service at this time can limit their exposure by securing TCP access to Enterprise Message Service servers.

TIBCO ActiveMatrix Service Grid and TIBCO ActiveMatrix Service Bus FAQ

Which versions of ActiveMatrix™ Service Grid and ActiveMatrix™ Service Bus are affected?

 All versions prior to 2.0.2.

Which components are affected?

ActiveMatrix Service Grid and ActiveMatrix Service Bus each have an indirect exposure to issues with TIBCO Rendezvous via the optional TIBCO ActiveMatrix Service Grid Adapter Binding Engine, and a direct exposure to issues with TIBCO Enterprise Message Service.

How should customers handle this issue?

Customers using the ActiveMatrix Service Grid Adapter Binding Engine should update to the latest version of ActiveMatrix Service Grid (2.0.2) or ActiveMatrix Service Bus (2.0.2), as well as the latest version of Rendezvous (8.1.0). It is critical that the ActiveMatrix products and Rendezvous be updated in parallel.

Customers not using the ActiveMatrix Service Grid Adapter Binding Engine, and thus not using Rendezvous, do not need to update ActiveMatrix Service Grid or ActiveMatrix Service Bus.

All ActiveMatrix Service Grid and ActiveMatrix Service Bus customers should update to the latest version of Enterprise Message Service (4.4.3).

All product updates are available at http://download.tibco.com to customers with current maintenance for the products. Customers will find the Enterprise Message Service update as part of their ActiveMatrix download, and the Rendezvous update as part of the TIBCO Runtime Agent update available with their adapter download.

What if I cannot update ActiveMatrix Service Grid or ActiveMatrix Service Bus at this time?

Customers not able to update ActiveMatrix Service Grid or ActiveMatrix Service Bus at this time can limit their exposure by (1) ceasing use of the Adapter Binding Component and its underlying Rendezvous communication, and (2) securing TCP access to the ActiveMatrix Service Grid, ActiveMatrix Service Bus and any connected adapters. Customers not able to update Enterprise Message Service at this time can limit their exposure by securing TDP access to Enterprise Message Service servers.

TIBCO Runtime Agent FAQ

Which versions of TIBCO Runtime Agent are affected?

 All versions prior to 5.5.4.

Which components are affected?

TIBCO Runtime Agent provides a complete install of Rendezvous, whose client libraries and daemons are at issue. See the Rendezvous FAQ (above) for more details.

Products that include TIBCO Runtime Agent with their download include:

  • TIBCO ActiveMatrix BusinessWorks™
  • TIBCO Adapter™ for ActiveDatabase
  • TIBCO Adapter™ for CICS
  • TIBCO Adapter™ for Clarify
  • TIBCO Adapter™ for COM
  • TIBCO Adapter™ for CORBA
  • TIBCO Adapter™ for EJB
  • TIBCO Adapter™ for Files (Unix/Win)
  • TIBCO Adapter™ for IBM AS/400
  • TIBCO Adapter™ for Infranet
  • TIBCO Adapter™ for JDE OneWorld Xe
  • TIBCO Adapter™ for Kenan BP
  • TIBCO Adapter™ for LDAP
  • TIBCO Adapter™ for Lotus Notes
  • TIBCO Adapter™ for MQSeries
  • TIBCO Adapter™ for Oracle Applications
  • TIBCO Adapter™ for PeopleSoft
  • TIBCO Adapter™ for R3 (SAP)
  • TIBCO Adapter™ for Remedy
  • TIBCO Adapter™ for Siebel
  • TIBCO Adapter™ for SWIFT
  • TIBCO Adapter™ for Teradata
  • TIBCO Adapter™ for Tuxedo
  • TIBCO Adapter™ SDK
  • TIBCO BusinessConnect™
  • TIBCO BusinessEvents™ Enterprise Edition
  • TIBCO BusinessEvents™ Inference Edition
  • TIBCO BusinessFactor®
  • TIBCO BusinessWorks™ SmartMapper Enterprise Server
  • TIBCO Enterprise Management Advisor™
  • TIBCO Hawk®
  • TIBCO iProcess™ Insight
  • TIBCO PortalBuilder®
  • TIBCO RFID Interchange™

How should customers handle this issue?

Affected customers should update to the latest version of TIBCO Runtime Agent (5.5.4), available at http://download.tibco.com to customers with current maintenance for the product. The update will install the updated version of Rendezvous (8.1.0), and on Solaris, Windows and Linux, an updated Java Runtime Enrvironment (JRE 1.5 Update 15). See TIBCO LBN1-8VOM6F for more detail on the Java Runtime Environment issues. The update also uses an updated version of OpenSSL that addresses additional security issues; see www.openssl.org for more details.

What if I cannot update TIBCO Runtime Agent at this time?

Customers not able to update TIBCO Runtime Agent at this time can limit their exposure by securing UDP and TCP access to all Rendezvous daemons and TCP access to any products or applications that utilize the Rendezvous client libraries.

TIBCO Adapter for Files z/OS (MVS) FAQ

Which versions of Adapter™ for Files z/OS are affected?

 All versions prior to 4.4.1.

Which components are affected?

Adapter for Files z/OS has an exposure through its static linkage with the Rendezvous client library. See the Rendezvous FAQ (above) for more details.

How should customers handle this issue?

Affected customers should update to the latest version of Adapter for Files z/OS (4.4.1), available at http://download.tibco.com to customers with current maintenance for the product. The update is linked with the revised Rendezvous client library.

Do I need to update other Rendezvous components?

Yes, TIBCO strongly recommends that customers update all affected Rendezvous components outlined in the Rendezvous FAQ (above).

What if I cannot update Adapter for Files z/OS at this time?

Customers not able to update Adapter for Files z/OS at this time can limit their exposure by securing TCP access to Adapter for Files z/OS.

TIBCO Substation ES FAQ

Which versions of Substation ES™ are affected?

 All versions prior to 2.4.0.

Which components are affected?

Substation ES has an exposure through the installation of bundled TIBCO Rendezvous daemons and a statically linked Rendezvous client library. See the Rendezvous FAQ (above) for more details.

How should customers handle this issue?

Affected customers should update to the latest version of Substation ES (2.4.0), available at http://download.tibco.com to customers with current maintenance for the product. The update is linked with the revised Rendezvous client library and will provide an installation of the revised Rendezvous daemons.

Do I need to update other Rendezvous components?

 Yes, TIBCO strongly recommends that customers update all affected Rendezvous components outlined in the Rendezvous FAQ (above).

What if I cannot update Substation ES at this time?

Customers not able to update Substation ES at this time can limit their exposure by securing UDP and TCP access to Rendezvous daemons and TCP access to Substation ES.

TIBCO iProcess Engine FAQ

Why are these advisories being issued?Which versions of iProcess™ Engine are affected?

All 10.3.x, 10.5.x and 10.6 x versions prior to 10.6.2.

Which components are affected?

iProcess Engine has an exposure through its static linkage of the RV client library, its bundled Rendezvous software installation (itself bundled within a Hawk installation), and its bundled TIBCO Enterprise Message Service installation. The Rendezvous client library is present in iProcess Engine 10.3.0 and up; the full Rendezvous installation is present in iProcess 10.6.0 and up; the Enterprise Message Service installation is present in iProcess Engine 10.6.0 and up. See the TIBCO Rendezvous FAQ (above) and TIBCO Enterprise Message Service FAQ (above) for more details.

How should customers handle this issue?

Affected customers should update to the latest version of iProcess Engine (10.6.2), available at http://download.tibco.com to customers with current maintenance for the product. The new release will update the statically linked Rendezvous client library, and the bundled Rendezvous and Enterprise Message Service software installations.

What if I cannot update iProcess Engine at this time?

Customers not able to update iProcess Engine at this time can limit their exposure by securing TCP access to iProcess and Enterprise Message Service servers.

TIBCO ActiveMatrix BusinessWorks FAQ

Which versions of ActiveMatrix BusinessWorks™ are affected?

 All versions 5.6.1 and earlier.

Which components are affected?

ActiveMatrix BusinessWorks has an indirect exposure to issues with TIBCO Rendezvous via the bundled TIBCO ActiveMatrix BusinessWorks™ Service Engine and TIBCO Runtime Agent, and a direct exposure to issues with TIBCO Enterprise Message Service.

How should customers handle this issue?

Affected customers should update to the latest version of TIBCO Runtime Agent (5.5.4). Those customers utilizing the ActiveMatrix BusinessWorks Service Engine and Enterprise Message Service must also update to the latest versions of ActiveMatrix BusinessWorks Service Engine (5.6.2) and Enterprise Message Service (4.4.3). All three updates are available at http://download.tibco.com to customers with current maintenance for the product.

What if I cannot update ActiveMatrix BusinessWorks at this time?

Customers not able to update ActiveMatrix BusinessWorks at this time can limit their exposure by securing TCP access to ActiveMatrix BusinessWorks, Enterprise Message Service servers, and any component with which ActiveMatrix BusinessWorks communicates via Rendezvous.

TIBCO ActiveMatrix Service Grid and TIBCO ActiveMatrix Service Bus FAQ

Which versions of ActiveMatrix™ Service Grid and ActiveMatrix™ Service Bus are affected?

 All versions prior to 2.0.2.

Which components are affected?

ActiveMatrix Service Grid and ActiveMatrix Service Bus each have an indirect exposure to issues with TIBCO Rendezvous via the optional TIBCO ActiveMatrix Service Grid Adapter Binding Engine, and a direct exposure to issues with TIBCO Enterprise Message Service.

How should customers handle this issue?

Customers using the ActiveMatrix Service Grid Adapter Binding Engine should update to the latest version of ActiveMatrix Service Grid (2.0.2) or ActiveMatrix Service Bus (2.0.2), as well as the latest version of Rendezvous (8.1.0). It is critical that the ActiveMatrix products and Rendezvous be updated in parallel.

Customers not using the ActiveMatrix Service Grid Adapter Binding Engine, and thus not using Rendezvous, do not need to update ActiveMatrix Service Grid or ActiveMatrix Service Bus.

All ActiveMatrix Service Grid and ActiveMatrix Service Bus customers should update to the latest version of Enterprise Message Service (4.4.3).

All product updates are available at http://download.tibco.com to customers with current maintenance for the products. Customers will find the Enterprise Message Service update as part of their ActiveMatrix download, and the Rendezvous update as part of the TIBCO Runtime Agent update available with their adapter download.

What if I cannot update ActiveMatrix Service Grid or ActiveMatrix Service Bus at this time?

Customers not able to update ActiveMatrix Service Grid or ActiveMatrix Service Bus at this time can limit their exposure by (1) ceasing use of the Adapter Binding Component and its underlying Rendezvous communication, and (2) securing TCP access to the ActiveMatrix Service Grid, ActiveMatrix Service Bus and any connected adapters. Customers not able to update Enterprise Message Service at this time can limit their exposure by securing TDP access to Enterprise Message Service servers.

---------------------