TIBCO Security Advisory: July 29, 2008 - TIBCO Hawk®

Frequently Asked Questions

General FAQ

Why are these advisories being issued?

Security vulnerabilities have been discovered in:

  • TIBCO Hawk®

Impacted elements of the above products are included in or bundled with:

  • TIBCO Runtime Agent™
    • Numerous TIBCO products bundle TIBCO Runtime Agent; please see the TIBCO Runtime Agent FAQ (below) for a complete list.
  • TIBCO iProcess™ Engine
  • TIBCO Mainframe Service Tracker™

Details for each product are included in individual FAQ below.

What is the effect of the vulnerability?

The vulnerability could allow an attacker to execute arbitrary code, disclose information or deny service on an affected system. For details, please see the product advisories .

Which customers are affected?

These issues may affect customers who own and use Hawk®, either standalone, or in conjunction with one of the products listed above. The specific impact, solution and mitigation possibilities are detailed in individual FAQ below.

Where can I get software updates?

Customers with current maintenance can obtain product updates at http://download.tibco.com.

How will customers who receive TIBCO software via OEM partners be affected?

Customers of OEM partners can receive new versions and bundles from their OEM partners. Please contact your OEM partner for updates.

Can I get the software update if I am not current on maintenance? What if I don't have access to the download site or to TIBCO Support?

Please contact TIBCO Support by telephone. Please reference SR_ID:1-93UB1R in your communication to indicate the context of your request.

What is TIBCO doing to prevent future security issues?

TIBCO takes security very seriously. We perform rigorous testing for every product release, as well as code audits, structured walkthroughs and peer reviews. TIBCO has identified security vulnerabilities in products during internal testing and reviews and corrected them prior to release. TIBCO constantly evaluates and augments its security measures and will continue to do so.

Where can I get more information?

The original product advisories can be accessed from http:/services/support/advisories . Customers with a current maintenance contract with TIBCO can log a service request with TIBCO Global Support (please refer to SR_ID:1-93UB1R) and then call your support telephone number. Maintenance customers can also view product-specific Late Breaking News (LBN1-94FK09) through the TIBCO Support Web .

TIBCO Hawk FAQ

Which versions of Hawk® are affected?

All versions of Hawk prior to 4.8.1 are affected.

Which components are affected?

These components are affected:

  • Hawk HMA (tibhawkhma)
  • Hawk AMI C client library

Note that the Hawk AMI Java client library is a pure-Java implementation (not a JNI based on the C library), and is not affected.

How should customers handle this issue?

Affected customers should update to the latest version of Hawk (4.8.1), available at http://download.tibco.com to customers with current maintenance for the product.

Do I need to update all Hawk components?

TIBCO strongly recommends that customers update the affected Hawk components outlined above.

Do I need to update or restart the Java-based standalone Hawk Display or the TIBCO Administrator™ plug-in Hawk Console?

No, neither the Hawk Display or Hawk Console are affected. Neither component needs to be updated or restarted.

Do I need to update or restart the Hawk Agent (agent.jar)?

No, the Hawk Agent (agent.jar) is not affected.

Do I need to recompile and/or re-link my applications that use the Hawk AMI C client library?

Applications do not need to be recompiled, but they must be re-linked with the new client library version:

  • Applications that are dynamically linked should be restarted after the new client library is installed.
  • Applications that are statically linked should be re-linked and restarted.

Are there any additional security-related issues with Hawk?

The Hawk Custom Microagent (COM.TIBCO.hawk.microagent.Custom) is designed to allow remote code execution. Access to the Custom Microagent can be limited to specific, authenticated users (or denied entirely) via the Trusted security model. Please see the current product release note for detailed information on configuring the Trusted security model to limit or deny access to the Custom Microagent.

What if I cannot update Hawk at this time?

Customers not able to update Hawk at this time can limit their exposure by securing network access to any running tibhawkhma executables, and to any applications that utilize the Hawk AMI C client.

TIBCO Runtime Agent FAQ

Which versions of TIBCO Runtime Agent are affected?

All versions prior to 5.6.0.

Which components are affected?

TIBCO Runtime Agent provides an installation of Hawk, whose tibhawkhma executable and AMI C client library are at issue. See the Hawk FAQ (above) for more details.

Products that include TIBCO Runtime Agent with their download include:

  • TIBCO ActiveMatrix BusinessWorks™
  • TIBCO ActiveMatrix™ Adapter for ActiveDatabase
  • TIBCO Adapter™ for CICS
  • TIBCO Adapter™ for Clarify
  • TIBCO Adapter™ for COM
  • TIBCO Adapter™ for CORBA
  • TIBCO Adapter™ for EJB
  • TIBCO ActiveMatrix™ Adapter for Files (Unix/Win)
  • TIBCO Adapter™ for IBM AS/400
  • TIBCO Adapter™ for Infranet
  • TIBCO Adapter™ for JDE OneWorld Xe
  • TIBCO Adapter™ for Kenan BP
  • TIBCO Adapter™ for LDAP
  • TIBCO Adapter™ for Lotus Notes
  • TIBCO Adapter™ for MQSeries
  • TIBCO Adapter™ for Oracle Applications
  • TIBCO Adapter™ for PeopleSoft
  • TIBCO ActiveMatrix™ Adapter for SAP
  • TIBCO Adapter™ for Remedy
  • TIBCO Adapter™ for Siebel
  • TIBCO Adapter™ for SWIFT
  • TIBCO Adapter™ for Teradata
  • TIBCO Adapter™ for Tuxedo
  • TIBCO Adapter™ SDK
  • TIBCO BusinessConnect™
  • TIBCO BusinessEvents™ Enterprise Edition
  • TIBCO BusinessEvents™ Inference Edition
  • TIBCO BusinessFactor®
  • TIBCO BusinessWorks™ SmartMapper Enterprise Server
  • TIBCO Enterprise Management Advisor™
  • TIBCO Hawk®
  • TIBCO iProcess™ Insight
  • TIBCO PortalBuilder®
  • TIBCO RFID Interchange™

How should customers handle this issue?

Affected customers should update to the latest version of TIBCO Runtime Agent (5.6.0), available at http://download.tibco.com to customers with current maintenance for the product. The update will install the updated version of Hawk (4.8.1).

What is updated by the new version of TIBCO Runtime Agent?

In addition to the updated installation of Hawk, TIBCO Runtime Agent 5.6.0 includes minor enhancements and defect corrections. Please see the product's release note for details.

Customers upgrading from a version of TIBCO Runtime Agent earlier than 5.5.4 will find that on Solaris, Windows and Linux, an updated Java Runtime Environment (JRE 1.5 Update 15) is installed. See TIBCO LBN1-8VOM6F for more detail on the Java Runtime Environment issues. These customers will also receive an updated version of OpenSSL that addresses additional security issues; see www.openssl.org for more details.

What if I cannot update TIBCO Runtime Agent at this time?

Customers not able to update TIBCO Runtime Agent at this time can limit their exposure by securing network access to any running tibhawkhma executables, and to any applications that utilize the Hawk AMI C client.

TIBCO iProcess Engine FAQ

Which versions of iProcess™ Engine are affected?

All 10.3.x, 10.5.x and 10.6 x versions prior to 10.6.3, and version 11.0.0.

Which components are affected?

iProcess Engine has an exposure through its bundled Hawk installation, and its use of the Hawk AMI C client library. See the Hawk FAQ (above) for more details.

How should customers handle this issue?

Affected customers should update to one of the latest versions of iProcess Engine (10.6.3 or 11.0.1), available at http://download.tibco.com to customers with current maintenance for the product. The new release will update the bundled Hawk software installation.

What if I cannot update iProcess Engine at this time?

Customers not able to update iProcess Engine at this time can limit their exposure by securing network access to any running tibhawkhma executables, and to any applications that utilize the Hawk AMI C client.

TIBCO Mainframe Service Tracker FAQ

Which versions of Main frame Service Tracker™ are affected?

All versions prior to 1.1.0.

Which components are affected?

The Mainframe Service Tracker statically links the Hawk AMI C client library. See the Hawk FAQ (above) for more details.

How should customers handle this issue?

Affected customers should update the latest version of Mainframe Service Tracker (1.1.0), available at http://download.tibco.com to customers with current maintenance for the product. The new version of the Tracker is linked with an updated version of the Hawk AMI C client.

What if I cannot update Mainframe Service Tracker at this time?

Customers not able to update Mainframe Service Tracker at this time can limit their exposure by securing network access to any running tibhawkhma executables, and to any applications that utilize the Hawk AMI C client, such as the Mainframe Service Tracker executable.

---------------------