Security vulnerabilities have been discovered in:
The SmartSockets® client libraries are dynamically linked in add-on products such as TIBCO SmartSockets® Cache, TIBCO SmartMQ® and TIBCO SmartSockets® RTie, and are statically linked in the server component of TIBCO Enterprise Message Service™ 4.0.0 through 5.1.1. Enterprise Message Service™ is itself bundled with TIBCO iProcess™ and several TIBCO ActiveMatrix™ products.
No.
The vulnerability could allow an attacker to execute arbitrary code, disclose information or deny service on an affected system. For details, please see the product advisories.
These issues affect customers who use SmartSockets or SmartSockets® Product Family Modules (RTworks). These issues also affect customers who use SmartSockets and SmartSockets Product Family Modules add-ons such as SmartSockets® Cache, SmartMQ™ and SmartSockets® RTie.
These issues affect customers who have enabled SmartSockets support in Enterprise Message Service, whether Enterprise Message Service was installed as a standalone product or as part of an iProcess™ or ActiveMatrix™ bundle.
Enterprise Message Service installations are only affected if the customer has proactively enabled the Enterprise Message Service server's SmartSockets support. By default, SmartSockets support is disabled.
Customers with current maintenance for SmartSockets Product Family Modules should have received a CD update via surface mail. Customers with current maintenance for other products in this advisory can obtain updates at http://download.tibco.com.
Customers of OEM partners can receive new versions and bundles from their OEM partners. Please contact your OEM partner for updates.
Please contact TIBCO Support by telephone. Please reference SR_ID:1-9R9GGJ in your communication to indicate the context of your request.
TIBCO takes security very seriously. We perform rigorous testing for every product release, as well as code audits, structured walkthroughs and peer reviews. TIBCO has identified security vulnerabilities in products during internal testing and reviews and corrected them prior to release. TIBCO constantly evaluates and augments its security measures and will continue to do so.
Access the original product advisories.
Customers with a current maintenance contract with TIBCO can log a service request with TIBCO Global Support (please refer to SR_ID: 1-9R9GGJ) and then call your support telephone number. Maintenance customers can also view product-specific Late Breaking News (LBN1-9R9GIH) through the TIBCO Support Web.
The original RTworks product set was rebranded SmartSockets Product Family Modules as of version 4.0.0 in May 2001. RTworks and SmartSockets Product Family Modules are the same product line, but with a name change at version 4.0.0. SmartSockets is a follow-on product line that was developed from the messaging component of the original RTworks product set.
Which versions of SmartSockets and SmartSockets Product Family Modules (RTworks) are affected?
All versions of SmartSockets 5.x and 6.x and SmartSockets Product Family Modules (RTworks) 4.x are affected.
The server component (RTserver) and C client libraries of both SmartSockets and SmartSockets Product Family Modules (RTworks) are affected.
The following SmartSockets add-on products dynamically load the SmartSockets client libraries, and are affected:
The following SmartSockets Product Family Modules (RTworks) components dynamically load the SmartSockets client libraries, and are affected:
Note that:
Affected customers should upgrade to the latest version of TIBCO SmartSockets (6.8.2) and TIBCO SmartSockets Product Family Modules/RTworks (4.0.5).
TIBCO strongly recommends that customers update all RTserver components and SmartSockets C client libraries. The RTserver and C client libraries delivered in SmartSockets 5.x and 6.x should be updated to the 6.8.2 release, and SmartSockets Product Family Modules (RTworks) 4.x should be updated to the 4.0.5 release. The SmartSockets Java and C# client libraries are not affected.
Yes. Customer applications using the SmartSockets C client library to process incoming messages should update as follows:
Customers should either secure their system by upgrading their RTserver, or by ensuring that the RTserver’s UDP discovery port is disabled. By default, the port is enabled in SmartSockets 5.x and SmartSockets Product Family Modules. By default the port is disabled in SmartSockets 6.x and later.
To disable the UDP discovery port in SmartSockets Product Family Modules or SmartSockets version 5.x, customers must ensure that udp_broadcast is not specified for the conn_names or server_names option of the rtserver.cm configuration file.
To disable the UDP discovery port in SmartSockets version 6.x, customers must ensure that udp_broadcast is not specified for the default_protocol option of the rtserver.cm configuration file. For example, setopt default_protocol udp_broadcast, tcp, local should be changed to setopt default_protocol tcp, local.
These products do not need to be updated, however they need to be restarted after installing the new SmartSockets client libraries. Restarting will cause the processes to dynamically load the new client libraries.
No. SmartSockets LiveDB utilizes the SmartSockets Java client, which is not affected.
No. SmartSockets SSL is an add-on library that is not affected. Applications that utilize SmartSockets SSL must still update their SmartSockets C libraries and RTserver components.
These products do not need to be updated, however they need to be restarted after installing the new SmartSockets client libraries. Restarting will cause the processes to dynamically load the new client libraries.
No. SmartSockets RTsdb does not utilize the SmartSockets client libraries and is not affected.
Do I need to update the SmartSockets-to-RV bridge?
The bridge does not need to be updated, but the server process (rtgateway) needs to be restarted after installing the new SmartSockets client libraries. Restarting will cause the server process to dynamically load the new client libraries.
If you are not able to update SmartSockets or SmartSockets Product Family Modules (RTworks) at this time, you can protect your RTserver from the UDP attack vector by ensuring that the server’s UDP discovery port is disabled. See above for details. You can limit exposure to additional defects by securing TCP access to SmartSockets servers and clients.
Enterprise Message Service versions 4.0.0 through 5.1.1 are affected.
The Enterprise Message Service server (tibemsd) is the only affected component. The Enterprise Message Service client libraries are not affected. The server has an exposure through its static linkage of the SmartSockets client libraries.
Affected customers should either update to the latest versions of Enterprise Message Service (5.1.2) and SmartSockets (6.8.2), or ensure that the Enterprise Message Service server’s SmartSockets support is disabled. By default, SmartSockets support is disabled; customers are only affected if they have proactively enabled SmartSockets support.
Enterprise Message Service servers prior to version 4.0.0 do not include SmartSockets support and are not at risk for the current support issue.
Customers who enable the Enterprise Message Service server's SmartSockets support must update both products. Enterprise Message Service versions 4.0.0 through 5.1.1 include statically linked copies of the SmartSockets client libraries within the server process. Enterprise Message Service version 5.1.2 dynamically loads the SmartSockets client libraries into the server process. Customers must now separately install SmartSockets, and ensure that the SmartSockets client libraries are accessible at start-up to the Enterprise Message Service server.
Enterprise Message Service versions 4.0.0 through 5.1.1 include statically linked copies of the SmartSockets client libraries within the server process. Enterprise Message Service version 5.1.2 dynamically loads the SmartSockets client libraries into the server process. If you are using the Enterprise Message Service server's SmartSockets support, you must enter a new parameter in the main tibemsd.conf configuration file to designate the location of the SmartSockets libraries:
module_path = SmartSockets-shared-library-directory
where SmartSockets-shared-library-directory is the absolute path to the directory containing the SmartSockets libraries. Please see the SmartSockets documentation to locate the directory in which the appropriate libraries are installed.
TIBCO strongly recommends that customers update all Enterprise Message Service daemons. Enterprise Message Service client libraries do not need to be updated at this time.
No, the Enterprise Message Service client libraries are not affected.
The OpenVMS, i5/OS and z/OS ports of Enterprise Message Service are client-only releases, and are not affected by the security issue with the Enterprise Message Service server. These ports are not impacted and do not need to be updated.
The defect is not present in Enterprise Message Service versions prior to 4.0.0. For Enterprise Message Service versions 4.0.0 through 5.1.1, the defect can be completely mitigated by disabling SmartSockets support in the Enterprise Message Service server. This is an administrative setting that can be updated without replacing the server by setting tibss_transports to disabled in the Enterprise Message Service server configuration file tibemsd.conf. The server must be restarted after the configuration file parameter has been changed.
Which versions of iProcess Engine are affected?
All 10.6 x versions, and all 11.0.x versions prior to 11.0.2.
iProcess Engine itself is not affected.
iProcess Engine has an exposure through its bundled TIBCO Enterprise Message Service installation. The Enterprise Message Service installation is only at risk if the server’s SmartSockets support has been explicitly enabled; by default SmartSockets support is disabled.
Affected customers should either update to the latest versions of iProcess Engine (11.0.2) and Enterprise Message Service (5.1.2), install the updated version of Enterprise Message Service (5.1.2) over their existing installation, or ensure that the Enterprise Message Service server’s SmartSockets support is disabled. By default, SmartSockets support is disabled; customers are only affected if they have proactively enabled SmartSockets support.
iProcess Engine 10.6 x versions, and 11.0.x versions prior to 11.0.2 bundled Enterprise Message Service within the iProcess installer. With the release of iProcess Engine 11.0.2, Enterprise Message Service is delivered as a separate download with its own installer. Customers who wish to utilize Enterprise Message Service’s SmartSockets support can either download and install new versions of both iProcess Engine and Enterprise Message Service, or install the updated version of Enterprise Message Service (5.1.2) over their existing installation.
Customers can completely mitigate the defect by disabling SmartSockets support in the Enterprise Message Service server. This is an administrative setting that can be updated without replacing the server by setting tibss_transports to disabled in the Enterprise Message Service server configuration file tibemsd.conf. The server must be restarted after the configuration file parameter has been changed. The default installation of Enterprise Message Service leaves SmartSockets support disabled.
Which ActiveMatrix products and versions are affected?
All ActiveMatrix products that bundle Enterprise Message Service versions 4.0.0 through 5.1.1 are potentially affected. These include:
| ActiveMatrix Product | Min. Version |
|---|---|
| TIBCO ActiveMatrix™ Adapter for Database | 5.5.0 |
| TIBCO ActiveMatrix™ Adapter for Files | 5.6.0 |
| TIBCO ActiveMatrix™ Adapter for SAP | 5.5.0 |
| TIBCO ActiveMatrix BusinessWorks™ | 5.6.0 |
| TIBCO ActiveMatrix™ Service Bus | 1.0.0 |
| TIBCO ActiveMatrix™ Service Grid | 1.0.0 |
| TIBCO ActiveMatrix™ Service Performance Manager | 1.0.0 |
The minimum version is the version in which Enterprise Message Service was included within the product bundle. The current versions of these products have been updated to include the updated release of Enterprise Message Service 5.1.2.
ActiveMatrix products themselves are not affected.
ActiveMatrix products have an exposure through their bundled TIBCO Enterprise Message Service installation. The Enterprise Message Service installation is only at risk if the Enterprise Message Service server’s SmartSockets support has been explicitly enabled; by default SmartSockets support is disabled.
Affected customers should either update to the latest versions of Enterprise Message Service (5.1.2), or ensure that the Enterprise Message Service server’s SmartSockets support is disabled. By default, SmartSockets support is disabled; customers are only affected if they have proactively enabled SmartSockets support.
The ActiveMatrix product installations do not themselves need to be updated, however the bundled version of TIBCO Enterprise Message Service will need to be updated if its SmartSocket support is enabled. By default the Enterprise Message Service server is configured with its SmartSockets support disabled; this completely mitigates the security issue. If you have proactively enabled SmartSockets within the Enterprise Message Service server, you can either disable this function (as described above in the Enterprise Message Service FAQ), or update your Enterprise Message Service installation.
Customers can completely mitigate the defect by disabling SmartSockets support in the Enterprise Message Service server. This is an administrative setting that can be updated without replacing the server by setting tibss_transports to disabled in the Enterprise Message Service server configuration file tibemsd.conf. The server must be restarted after the configuration file parameter has been changed. The default installation of Enterprise Message Service leaves SmartSockets support disabled.
---------------------