Security vulnerabilities have been discovered in:
Impacted elements of the above products are included in or bundled with:
Details for each product are included in individual FAQ below.
The vulnerability could allow an attacker to execute arbitrary code, disclose information or deny service on an affected system. For details, please see the product advisories .
These issues may affect customers who own and use Hawk®, either standalone, or in conjunction with one of the products listed above. The specific impact, solution and mitigation possibilities are detailed in individual FAQ below.
Customers with current maintenance can obtain product updates at http://download.tibco.com.
Customers of OEM partners can receive new versions and bundles from their OEM partners. Please contact your OEM partner for updates.
Please contact TIBCO Support by telephone. Please reference SR_ID:1-93UB1R in your communication to indicate the context of your request.
TIBCO takes security very seriously. We perform rigorous testing for every product release, as well as code audits, structured walkthroughs and peer reviews. TIBCO has identified security vulnerabilities in products during internal testing and reviews and corrected them prior to release. TIBCO constantly evaluates and augments its security measures and will continue to do so.
The original product advisories can be accessed from http:/services/support/advisories . Customers with a current maintenance contract with TIBCO can log a service request with TIBCO Global Support (please refer to SR_ID:1-93UB1R) and then call your support telephone number. Maintenance customers can also view product-specific Late Breaking News (LBN1-94FK09) through the TIBCO Support Web .
All versions of Hawk prior to 4.8.1 are affected.
These components are affected:
Note that the Hawk AMI Java client library is a pure-Java implementation (not a JNI based on the C library), and is not affected.
Affected customers should update to the latest version of Hawk (4.8.1), available at http://download.tibco.com to customers with current maintenance for the product.
TIBCO strongly recommends that customers update the affected Hawk components outlined above.
No, neither the Hawk Display or Hawk Console are affected. Neither component needs to be updated or restarted.
No, the Hawk Agent (agent.jar) is not affected.
Applications do not need to be recompiled, but they must be re-linked with the new client library version:
The Hawk Custom Microagent (COM.TIBCO.hawk.microagent.Custom) is designed to allow remote code execution. Access to the Custom Microagent can be limited to specific, authenticated users (or denied entirely) via the Trusted security model. Please see the current product release note for detailed information on configuring the Trusted security model to limit or deny access to the Custom Microagent.
Customers not able to update Hawk at this time can limit their exposure by securing network access to any running tibhawkhma executables, and to any applications that utilize the Hawk AMI C client.
All versions prior to 5.6.0.
TIBCO Runtime Agent provides an installation of Hawk, whose tibhawkhma executable and AMI C client library are at issue. See the Hawk FAQ (above) for more details.
Products that include TIBCO Runtime Agent with their download include:
Affected customers should update to the latest version of TIBCO Runtime Agent (5.6.0), available at http://download.tibco.com to customers with current maintenance for the product. The update will install the updated version of Hawk (4.8.1).
In addition to the updated installation of Hawk, TIBCO Runtime Agent 5.6.0 includes minor enhancements and defect corrections. Please see the product's release note for details.
Customers upgrading from a version of TIBCO Runtime Agent earlier than 5.5.4 will find that on Solaris, Windows and Linux, an updated Java Runtime Environment (JRE 1.5 Update 15) is installed. See TIBCO LBN1-8VOM6F for more detail on the Java Runtime Environment issues. These customers will also receive an updated version of OpenSSL that addresses additional security issues; see www.openssl.org for more details.
Customers not able to update TIBCO Runtime Agent at this time can limit their exposure by securing network access to any running tibhawkhma executables, and to any applications that utilize the Hawk AMI C client.
All 10.3.x, 10.5.x and 10.6 x versions prior to 10.6.3, and version 11.0.0.
iProcess Engine has an exposure through its bundled Hawk installation, and its use of the Hawk AMI C client library. See the Hawk FAQ (above) for more details.
Affected customers should update to one of the latest versions of iProcess Engine (10.6.3 or 11.0.1), available at http://download.tibco.com to customers with current maintenance for the product. The new release will update the bundled Hawk software installation.
Customers not able to update iProcess Engine at this time can limit their exposure by securing network access to any running tibhawkhma executables, and to any applications that utilize the Hawk AMI C client.
All versions prior to 1.1.0.
The Mainframe Service Tracker statically links the Hawk AMI C client library. See the Hawk FAQ (above) for more details.
Affected customers should update the latest version of Mainframe Service Tracker (1.1.0), available at http://download.tibco.com to customers with current maintenance for the product. The new version of the Tracker is linked with an updated version of the Hawk AMI C client.
Customers not able to update Mainframe Service Tracker at this time can limit their exposure by securing network access to any running tibhawkhma executables, and to any applications that utilize the Hawk AMI C client, such as the Mainframe Service Tracker executable.
---------------------