Security vulnerabilities have been discovered in:
Impacted elements of the above products are included in or bundled with:
Details for each product are included in individual FAQ below
The vulnerability could allow an attacker to execute arbitrary code, disclose information or deny service on an affected system. For details, please see the product advisories.
These issues may affect customers who own and use Rendezvous® or Enterprise Message Service™, either standalone, or in conjunction with one of the products listed above. The specific impact, solution and mitigation possibilities are detailed in individual FAQ below.
Customers with current maintenance can obtain product updates at http://download.tibco.com.
Please contact TIBCO Support for additional information.
Customers of OEM partners can receive new versions and bundles from their OEM partners. Please contact your OEM partner for updates.
Please contact TIBCO Support by telephone. Please reference SR_ID:1-8XJCNE in your communication to indicate the context of your request.
TIBCO takes security very seriously. We perform rigorous testing for every product release, as well as code audits, structured walkthroughs and peer reviews. TIBCO has identified security vulnerabilities in products during internal testing and reviews and corrected them prior to release. TIBCO constantly evaluates and augments its security measures and will continue to do so.
The original product advisories can be accessed from http:/services/support/advisories
Customers with a current maintenance contract with TIBCO can log a service request with TIBCO Global Support (please refer to SR_ID:1-8XJCNE) and then call your support telephone number. Maintenance customers can also view product-specific Late Breaking News (LBN1-8XJGBS) through the TIBCO Support Web .
All versions of Rendezvous and Rendezvous® for z/OS (OS390) prior to 8.1.0 are affected.
These components are affected:
The C++, Java and .NET client libraries are affected through their use of the C client libraries. The pure Java tibrjvweb.jar client library is not affected.
Affected customers should update to the latest version of Rendezvous (8.1.0), available at http://download.tibco.com to customers with current maintenance for the product.
TIBCO strongly recommends that customers update all affected Rendezvous components outlined above.
Applications do not need to be recompiled, but they must be re-linked with the new client library versions:
C++ applications do not need to be recompiled, but they must be re-linked with the new C client libraries.
Customers not able to update Rendezvous at this time can limit their exposure by securing UDP and TCP access to Rendezvous daemons and TCP access to client applications.
No, the adapter does not need to be updated, but the server process (rtgateway) needs to be restarted after installing the new Rendezvous C client library. Restarting will cause the server process to dynamically link the new client library.
No, InConcert does not need to be updated, but its dependency on Rendezvous indicates that customers should update to the latest version of Rendezvous (8.1.0) and then restart the InConcert server and client applications.
All versions of Rendezvous Server In-Process Module Add-on prior to 8.1.0 are affected.
The in-process module add-on library (libtibrvipm and libtibrvipm64) is affected.
Affected customers should update to the latest version of Rendezvous Server In-Process Module Add-on (8.1.0), available at http://download.tibco.com to customers with current maintenance for the product.
Yes, TIBCO strongly recommends that customers update all affected Rendezvous components outlined in the Rendezvous FAQ (above).
Applications do not need to be recompiled, but they must be re-linked with the new Rendezvous Server In-Process Module library version by restarting the application after the new client library has been installed.
Customers not able to update Rendezvous Server In-Process Module Add-on at this time can limit their exposure by securing UDP access to applications built with the In-Process Module library.
All versions of Rendezvous TX prior to 2.0.4 are affected.
The Rendezvous TX daemon (rvtxd) is affected.
Affected customers should update to the latest version of Rendezvous TX (2.0.4), available at http://download.tibco.com to customers with current maintenance for the product.
Yes, TIBCO strongly recommends that customers update all affected Rendezvous components outlined in the Rendezvous FAQ (above).
While the Rendezvous TX client library is not affected, applications must be re-linked (but not recompiled) with the new Rendezvous and Rendezvous TX client library versions:
Customers not able to update Rendezvous TX at this time can limit their exposure by securing UDP and TCP access to Rendezvous daemons and TCP access to client applications.
All versions of Rendezvous DataSecurity prior to 2.1.6 are affected.
The Rendezvous DataSecurity client library (libtibrvds) and daemon (rvacld) are affected.
Affected customers should update to the latest version of Rendezvous DataSecurity (2.1.6), available at http://download.tibco.com to customers with current maintenance for the product. The update also uses an updated version of OpenSSL that addresses additional security issues; see www.openssl.org for more details.
Yes, TIBCO strongly recommends that customers update all affected Rendezvous components outlined in the Rendezvous FAQ (above).
Applications do not need to be recompiled, but they must be re-linked with the new Rendezvous and Rendezvous DataSecurity client library versions:
Customers not able to update Rendezvous DataSecurity at this time can limit their exposure by securing UDP and TCP access to Rendezvous daemons and TCP access to client applications.
All versions prior to Enterprise Message Service 4.4.3.
The Enterprise Message Service server (tibemsd) is the only affected component. The Enterprise Message Service client libraries are not affected. The server has both an intrinsic issue, and an exposure through its static linkage of the RV client library.
Affected customers should update to the latest version of Enterprise Message Service (4.4.3), available at http://download.tibco.com to customers with current maintenance for the product.
TIBCO strongly recommends that customers update all Enterprise Message Service daemons.
No, the Enterprise Message Service client libraries are not affected.
The OpenVMS, i5/OS and z/OS ports of Enterprise Message Service are client-only releases, and are not affected by the security issue with the Enterprise Message Service server. These ports are not impacted and do not need to be upgraded.
Customers not able to update Enterprise Message Service at this time can limit their exposure by securing TCP access to Enterprise Message Service servers.
All versions prior to 2.0.2.
ActiveMatrix Service Grid and ActiveMatrix Service Bus each have an indirect exposure to issues with TIBCO Rendezvous via the optional TIBCO ActiveMatrix Service Grid Adapter Binding Engine, and a direct exposure to issues with TIBCO Enterprise Message Service.
Customers using the ActiveMatrix Service Grid Adapter Binding Engine should update to the latest version of ActiveMatrix Service Grid (2.0.2) or ActiveMatrix Service Bus (2.0.2), as well as the latest version of Rendezvous (8.1.0). It is critical that the ActiveMatrix products and Rendezvous be updated in parallel.
Customers not using the ActiveMatrix Service Grid Adapter Binding Engine, and thus not using Rendezvous, do not need to update ActiveMatrix Service Grid or ActiveMatrix Service Bus.
All ActiveMatrix Service Grid and ActiveMatrix Service Bus customers should update to the latest version of Enterprise Message Service (4.4.3).
All product updates are available at http://download.tibco.com to customers with current maintenance for the products. Customers will find the Enterprise Message Service update as part of their ActiveMatrix download, and the Rendezvous update as part of the TIBCO Runtime Agent update available with their adapter download.
Customers not able to update ActiveMatrix Service Grid or ActiveMatrix Service Bus at this time can limit their exposure by (1) ceasing use of the Adapter Binding Component and its underlying Rendezvous communication, and (2) securing TCP access to the ActiveMatrix Service Grid, ActiveMatrix Service Bus and any connected adapters. Customers not able to update Enterprise Message Service at this time can limit their exposure by securing TDP access to Enterprise Message Service servers.
All versions prior to 5.5.4.
TIBCO Runtime Agent provides a complete install of Rendezvous, whose client libraries and daemons are at issue. See the Rendezvous FAQ (above) for more details.
Products that include TIBCO Runtime Agent with their download include:
Affected customers should update to the latest version of TIBCO Runtime Agent (5.5.4), available at http://download.tibco.com to customers with current maintenance for the product. The update will install the updated version of Rendezvous (8.1.0), and on Solaris, Windows and Linux, an updated Java Runtime Enrvironment (JRE 1.5 Update 15). See TIBCO LBN1-8VOM6F for more detail on the Java Runtime Environment issues. The update also uses an updated version of OpenSSL that addresses additional security issues; see www.openssl.org for more details.
Customers not able to update TIBCO Runtime Agent at this time can limit their exposure by securing UDP and TCP access to all Rendezvous daemons and TCP access to any products or applications that utilize the Rendezvous client libraries.
All versions prior to 4.4.1.
Adapter for Files z/OS has an exposure through its static linkage with the Rendezvous client library. See the Rendezvous FAQ (above) for more details.
Affected customers should update to the latest version of Adapter for Files z/OS (4.4.1), available at http://download.tibco.com to customers with current maintenance for the product. The update is linked with the revised Rendezvous client library.
Yes, TIBCO strongly recommends that customers update all affected Rendezvous components outlined in the Rendezvous FAQ (above).
Customers not able to update Adapter for Files z/OS at this time can limit their exposure by securing TCP access to Adapter for Files z/OS.
All versions prior to 2.4.0.
Substation ES has an exposure through the installation of bundled TIBCO Rendezvous daemons and a statically linked Rendezvous client library. See the Rendezvous FAQ (above) for more details.
Affected customers should update to the latest version of Substation ES (2.4.0), available at http://download.tibco.com to customers with current maintenance for the product. The update is linked with the revised Rendezvous client library and will provide an installation of the revised Rendezvous daemons.
Yes, TIBCO strongly recommends that customers update all affected Rendezvous components outlined in the Rendezvous FAQ (above).
Customers not able to update Substation ES at this time can limit their exposure by securing UDP and TCP access to Rendezvous daemons and TCP access to Substation ES.
All 10.3.x, 10.5.x and 10.6 x versions prior to 10.6.2.
iProcess Engine has an exposure through its static linkage of the RV client library, its bundled Rendezvous software installation (itself bundled within a Hawk installation), and its bundled TIBCO Enterprise Message Service installation. The Rendezvous client library is present in iProcess Engine 10.3.0 and up; the full Rendezvous installation is present in iProcess 10.6.0 and up; the Enterprise Message Service installation is present in iProcess Engine 10.6.0 and up. See the TIBCO Rendezvous FAQ (above) and TIBCO Enterprise Message Service FAQ (above) for more details.
Affected customers should update to the latest version of iProcess Engine (10.6.2), available at http://download.tibco.com to customers with current maintenance for the product. The new release will update the statically linked Rendezvous client library, and the bundled Rendezvous and Enterprise Message Service software installations.
Customers not able to update iProcess Engine at this time can limit their exposure by securing TCP access to iProcess and Enterprise Message Service servers.
All versions 5.6.1 and earlier.
ActiveMatrix BusinessWorks has an indirect exposure to issues with TIBCO Rendezvous via the bundled TIBCO ActiveMatrix BusinessWorks™ Service Engine and TIBCO Runtime Agent, and a direct exposure to issues with TIBCO Enterprise Message Service.
Affected customers should update to the latest version of TIBCO Runtime Agent (5.5.4). Those customers utilizing the ActiveMatrix BusinessWorks Service Engine and Enterprise Message Service must also update to the latest versions of ActiveMatrix BusinessWorks Service Engine (5.6.2) and Enterprise Message Service (4.4.3). All three updates are available at http://download.tibco.com to customers with current maintenance for the product.
Customers not able to update ActiveMatrix BusinessWorks at this time can limit their exposure by securing TCP access to ActiveMatrix BusinessWorks, Enterprise Message Service servers, and any component with which ActiveMatrix BusinessWorks communicates via Rendezvous.
All versions prior to 2.0.2.
ActiveMatrix Service Grid and ActiveMatrix Service Bus each have an indirect exposure to issues with TIBCO Rendezvous via the optional TIBCO ActiveMatrix Service Grid Adapter Binding Engine, and a direct exposure to issues with TIBCO Enterprise Message Service.
Customers using the ActiveMatrix Service Grid Adapter Binding Engine should update to the latest version of ActiveMatrix Service Grid (2.0.2) or ActiveMatrix Service Bus (2.0.2), as well as the latest version of Rendezvous (8.1.0). It is critical that the ActiveMatrix products and Rendezvous be updated in parallel.
Customers not using the ActiveMatrix Service Grid Adapter Binding Engine, and thus not using Rendezvous, do not need to update ActiveMatrix Service Grid or ActiveMatrix Service Bus.
All ActiveMatrix Service Grid and ActiveMatrix Service Bus customers should update to the latest version of Enterprise Message Service (4.4.3).
All product updates are available at http://download.tibco.com to customers with current maintenance for the products. Customers will find the Enterprise Message Service update as part of their ActiveMatrix download, and the Rendezvous update as part of the TIBCO Runtime Agent update available with their adapter download.
Customers not able to update ActiveMatrix Service Grid or ActiveMatrix Service Bus at this time can limit their exposure by (1) ceasing use of the Adapter Binding Component and its underlying Rendezvous communication, and (2) securing TCP access to the ActiveMatrix Service Grid, ActiveMatrix Service Bus and any connected adapters. Customers not able to update Enterprise Message Service at this time can limit their exposure by securing TDP access to Enterprise Message Service servers.
---------------------