TIBCO Security Advisory: April 28, 2009 - TIBCO SmartSockets®

Frequently Asked Questions

General FAQ

Why are these advisories being issued?

Security vulnerabilities have been discovered in:

  • TIBCO SmartSockets®, and
  • TIBCO SmartSockets® Product Family Modules (formerly RTworks).

The SmartSockets® client libraries are dynamically linked in add-on products such as TIBCO SmartSockets® Cache, TIBCO SmartMQ® and TIBCO SmartSockets® RTie, and are statically linked in the server component of TIBCO Enterprise Message Service™ 4.0.0 through 5.1.1. Enterprise Message Service™ is itself bundled with TIBCO iProcess™ and several TIBCO ActiveMatrix™ products.

Do these issues affect TIBCO Rendezvous®?

No.

What is the impact of the vulnerability?

The vulnerability could allow an attacker to execute arbitrary code, disclose information or deny service on an affected system. For details, please see the product advisories.

Which customers are affected?

These issues affect customers who use SmartSockets or SmartSockets® Product Family Modules (RTworks). These issues also affect customers who use SmartSockets and SmartSockets Product Family Modules add-ons such as SmartSockets® Cache, SmartMQ™ and SmartSockets® RTie.

These issues affect customers who have enabled SmartSockets support in Enterprise Message Service, whether Enterprise Message Service was installed as a standalone product or as part of an iProcess™ or ActiveMatrix™ bundle.

Enterprise Message Service installations are only affected if the customer has proactively enabled the Enterprise Message Service server's SmartSockets support. By default, SmartSockets support is disabled.

Where can I get software updates?

Customers with current maintenance for SmartSockets Product Family Modules should have received a CD update via surface mail. Customers with current maintenance for other products in this advisory can obtain updates at http://download.tibco.com.

How will customers who receive TIBCO software via OEM partners be affected?

Customers of OEM partners can receive new versions and bundles from their OEM partners. Please contact your OEM partner for updates.

Can I get the software update if I am not current on maintenance? What if I don’t have access to the download site or to TIBCO Support?

Please contact TIBCO Support by telephone. Please reference SR_ID:1-9R9GGJ in your communication to indicate the context of your request.

What is TIBCO doing to prevent future security issues?

TIBCO takes security very seriously. We perform rigorous testing for every product release, as well as code audits, structured walkthroughs and peer reviews. TIBCO has identified security vulnerabilities in products during internal testing and reviews and corrected them prior to release. TIBCO constantly evaluates and augments its security measures and will continue to do so.

Where can I get more information?

Access the original product advisories.

Customers with a current maintenance contract with TIBCO can log a service request with TIBCO Global Support (please refer to SR_ID: 1-9R9GGJ) and then call your support telephone number. Maintenance customers can also view product-specific Late Breaking News (LBN1-9R9GIH) through the TIBCO Support Web.

TIBCO SmartSockets FAQ

What is the difference between RTworks, SmartSockets Product Family Modules, and SmartSockets?

The original RTworks product set was rebranded SmartSockets Product Family Modules as of version 4.0.0 in May 2001. RTworks and SmartSockets Product Family Modules are the same product line, but with a name change at version 4.0.0. SmartSockets is a follow-on product line that was developed from the messaging component of the original RTworks product set.

Which versions of SmartSockets and SmartSockets Product Family Modules (RTworks) are affected?

All versions of SmartSockets 5.x and 6.x and SmartSockets Product Family Modules (RTworks) 4.x are affected.

Which components are affected?

The server component (RTserver) and C client libraries of both SmartSockets and SmartSockets Product Family Modules (RTworks) are affected.

The following SmartSockets add-on products dynamically load the SmartSockets client libraries, and are affected:

  • TIBCO SmartMQ™
  • TIBCO SmartSockets® Cache
  • TIBCO SmartSockets® for JMS
  • TIBCO SmartSockets® Gateway
  • TIBCO SmartSockets® LiveWeb
  • TIBCO SmartSockets® Monitor

The following SmartSockets Product Family Modules (RTworks) components dynamically load the SmartSockets client libraries, and are affected:

  • TIBCO SmartSockets® RTarchive
  • TIBCO SmartSockets® RTdaq
  • TIBCO SmartSockets® RTgateway
  • TIBCO SmartSockets® RThci
  • TIBCO SmartSockets® RTie
  • TIBCO SmartSockets® RTmonitor
  • TIBCO SmartSockets® RTplayback

Note that:

  • TIBCO SmartSockets® LiveDB utilizes the SmartSockets Java client and is not affected.
  • TIBCO SmartSockets® SSL is not directly affected. SmartSockets applications that utilize SmartSockets® SSL must update their SmartSockets C libraries and RTserver components.
  • TIBCO SmartSockets® RTsdb does not utilize the SmartSockets client libraries and is not affected.

How should customers handle this issue?

Affected customers should upgrade to the latest version of TIBCO SmartSockets (6.8.2) and TIBCO SmartSockets Product Family Modules/RTworks (4.0.5).

Do I need to update all SmartSockets or SmartSockets Product Family Modules (RTworks) components?

TIBCO strongly recommends that customers update all RTserver components and SmartSockets C client libraries. The RTserver and C client libraries delivered in SmartSockets 5.x and 6.x should be updated to the 6.8.2 release, and SmartSockets Product Family Modules (RTworks) 4.x should be updated to the 4.0.5 release. The SmartSockets Java and C# client libraries are not affected.

Do I need to recompile and/or re-link my applications that use the SmartSockets C client libraries?

Yes. Customer applications using the SmartSockets C client library to process incoming messages should update as follows:

  • SmartSockets 6.x
    • Applications dynamically linked with the SmartSockets 6.x C client libraries should be restarted after the new 6.8.2 client libraries have been installed.
    • Applications statically linked with the SmartSockets 6.x C client libraries should be re-linked and restarted with the new 6.8.2 client libraries.
  • SmartSockets 5.x
  • Applications dynamically linked with the SmartSockets 5.x C client libraries should be recompiled, and restarted after the new 6.8.2 client libraries have been installed.
  • Applications statically linked with the SmartSockets 5.x C client libraries should be recompiled, re-linked and restarted with the new 6.8.2 client libraries.
  • SmartSockets Product Family Modules (RTworks) 4.x
  • Applications dynamically linked with the SmartSockets C client libraries provided in SmartSockets Product Family Modules (RTworks) 4.x should be restarted after the new 4.0.5 client libraries have been installed.
  • Applications statically linked with the SmartSockets C client libraries provided in SmartSockets Product Family Modules (RTworks) 4.x should be re-linked and restarted with the new 4.0.5 client libraries.

Do I need to update my SmartSockets RTserver?

Customers should either secure their system by upgrading their RTserver, or by ensuring that the RTserver’s UDP discovery port is disabled. By default, the port is enabled in SmartSockets 5.x and SmartSockets Product Family Modules. By default the port is disabled in SmartSockets 6.x and later.

To disable the UDP discovery port in SmartSockets Product Family Modules or SmartSockets version 5.x, customers must ensure that udp_broadcast is not specified for the conn_names or server_names option of the rtserver.cm configuration file.

To disable the UDP discovery port in SmartSockets version 6.x, customers must ensure that udp_broadcast is not specified for the default_protocol option of the rtserver.cm configuration file. For example, setopt default_protocol udp_broadcast, tcp, local should be changed to setopt default_protocol tcp, local.

Do I need to update the SmartSockets add-on products TIBCO SmartMQ, TIBCO SmartSockets Cache, TIBCO SmartSockets for JMS, TIBCO SmartSockets Gateway, TIBCO SmartSockets LiveDB, TIBCO SmartSockets LiveWeb, TIBCO SmartSockets Monitor, or TIBCO SmartSockets SSL?

These products do not need to be updated, however they need to be restarted after installing the new SmartSockets client libraries. Restarting will cause the processes to dynamically load the new client libraries.

Do I need to update my TIBCO SmartSockets LiveDB installation?

No. SmartSockets LiveDB utilizes the SmartSockets Java client, which is not affected.

Do I need to update my TIBCO SmartSockets SSL installation?

No. SmartSockets SSL is an add-on library that is not affected. Applications that utilize SmartSockets SSL must still update their SmartSockets C libraries and RTserver components.

Do I need to update the SmartSockets Product Family Modules (RTworks) add-on products TIBCO SmartSockets RTarchive, TIBCO SmartSockets RTdaq, TIBCO SmartSockets RTgateway, TIBCO SmartSockets RThci, TIBCO SmartSockets RTie, TIBCO SmartSockets RTmonitor, or TIBCO SmartSockets RTplayback?

These products do not need to be updated, however they need to be restarted after installing the new SmartSockets client libraries. Restarting will cause the processes to dynamically load the new client libraries.

Do I need to update my TIBCO SmartSockets RTsdb installation?

No. SmartSockets RTsdb does not utilize the SmartSockets client libraries and is not affected.

Do I need to update the SmartSockets-to-RV bridge?

The bridge does not need to be updated, but the server process (rtgateway) needs to be restarted after installing the new SmartSockets client libraries. Restarting will cause the server process to dynamically load the new client libraries.

What if I cannot update SmartSockets or SmartSockets Product Family Modules (RTworks) at this time?

If you are not able to update SmartSockets or SmartSockets Product Family Modules (RTworks) at this time, you can protect your RTserver from the UDP attack vector by ensuring that the server’s UDP discovery port is disabled. See above for details. You can limit exposure to additional defects by securing TCP access to SmartSockets servers and clients.

TIBCO Enterprise Message Service FAQ

Which versions of TIBCO Enterprise Message Service are affected?

Enterprise Message Service versions 4.0.0 through 5.1.1 are affected.

Which components are affected?

The Enterprise Message Service server (tibemsd) is the only affected component. The Enterprise Message Service client libraries are not affected. The server has an exposure through its static linkage of the SmartSockets client libraries.

How should customers handle this issue?

Affected customers should either update to the latest versions of Enterprise Message Service (5.1.2) and SmartSockets (6.8.2), or ensure that the Enterprise Message Service server’s SmartSockets support is disabled. By default, SmartSockets support is disabled; customers are only affected if they have proactively enabled SmartSockets support.

Enterprise Message Service servers prior to version 4.0.0 do not include SmartSockets support and are not at risk for the current support issue.

Do I have to update both Enterprise Message Service and SmartSockets?

Customers who enable the Enterprise Message Service server's SmartSockets support must update both products. Enterprise Message Service versions 4.0.0 through 5.1.1 include statically linked copies of the SmartSockets client libraries within the server process. Enterprise Message Service version 5.1.2 dynamically loads the SmartSockets client libraries into the server process. Customers must now separately install SmartSockets, and ensure that the SmartSockets client libraries are accessible at start-up to the Enterprise Message Service server.

How do I configure the new Enterprise Message Service server for SmartSockets support?

Enterprise Message Service versions 4.0.0 through 5.1.1 include statically linked copies of the SmartSockets client libraries within the server process. Enterprise Message Service version 5.1.2 dynamically loads the SmartSockets client libraries into the server process. If you are using the Enterprise Message Service server's SmartSockets support, you must enter a new parameter in the main tibemsd.conf configuration file to designate the location of the SmartSockets libraries:

module_path = SmartSockets-shared-library-directory

where SmartSockets-shared-library-directory is the absolute path to the directory containing the SmartSockets libraries. Please see the SmartSockets documentation to locate the directory in which the appropriate libraries are installed.

Do I need to update all Enterprise Message Service components?

TIBCO strongly recommends that customers update all Enterprise Message Service daemons. Enterprise Message Service client libraries do not need to be updated at this time.

Do I need to recompile and/or re-link my applications that use the Enterprise Message Service client libraries?

No, the Enterprise Message Service client libraries are not affected.

Why can’t I find a new Enterprise Message Service release for OpenVMS, i5/OS or z/OS?

The OpenVMS, i5/OS and z/OS ports of Enterprise Message Service are client-only releases, and are not affected by the security issue with the Enterprise Message Service server. These ports are not impacted and do not need to be updated.

What if I cannot update Enterprise Message Service at this time?

The defect is not present in Enterprise Message Service versions prior to 4.0.0. For Enterprise Message Service versions 4.0.0 through 5.1.1, the defect can be completely mitigated by disabling SmartSockets support in the Enterprise Message Service server. This is an administrative setting that can be updated without replacing the server by setting tibss_transports to disabled in the Enterprise Message Service server configuration file tibemsd.conf. The server must be restarted after the configuration file parameter has been changed.

TIBCO iProcess Engine FAQ

Which versions of iProcess Engine are affected?

All 10.6 x versions, and all 11.0.x versions prior to 11.0.2.

Which components are affected?

iProcess Engine itself is not affected.

iProcess Engine has an exposure through its bundled TIBCO Enterprise Message Service installation. The Enterprise Message Service installation is only at risk if the server’s SmartSockets support has been explicitly enabled; by default SmartSockets support is disabled.

How should customers handle this issue?

Affected customers should either update to the latest versions of iProcess Engine (11.0.2) and Enterprise Message Service (5.1.2), install the updated version of Enterprise Message Service (5.1.2) over their existing installation, or ensure that the Enterprise Message Service server’s SmartSockets support is disabled. By default, SmartSockets support is disabled; customers are only affected if they have proactively enabled SmartSockets support.

Do I have to update both iProcess Engine and Enterprise Message Service?

iProcess Engine 10.6 x versions, and 11.0.x versions prior to 11.0.2 bundled Enterprise Message Service within the iProcess installer. With the release of iProcess Engine 11.0.2, Enterprise Message Service is delivered as a separate download with its own installer. Customers who wish to utilize Enterprise Message Service’s SmartSockets support can either download and install new versions of both iProcess Engine and Enterprise Message Service, or install the updated version of Enterprise Message Service (5.1.2) over their existing installation.

What if I cannot update iProcess Engine and Enterprise Message Service at this time?

Customers can completely mitigate the defect by disabling SmartSockets support in the Enterprise Message Service server. This is an administrative setting that can be updated without replacing the server by setting tibss_transports to disabled in the Enterprise Message Service server configuration file tibemsd.conf. The server must be restarted after the configuration file parameter has been changed. The default installation of Enterprise Message Service leaves SmartSockets support disabled.

TIBCO ActiveMatrix FAQ

Which ActiveMatrix products and versions are affected?

All ActiveMatrix products that bundle Enterprise Message Service versions 4.0.0 through 5.1.1 are potentially affected. These include:

ActiveMatrix Product Min. Version
TIBCO ActiveMatrix™ Adapter for Database 5.5.0
TIBCO ActiveMatrix™ Adapter for Files 5.6.0
TIBCO ActiveMatrix™ Adapter for SAP 5.5.0
TIBCO ActiveMatrix BusinessWorks™ 5.6.0
TIBCO ActiveMatrix™ Service Bus 1.0.0
TIBCO ActiveMatrix™ Service Grid 1.0.0
TIBCO ActiveMatrix™ Service Performance Manager 1.0.0

The minimum version is the version in which Enterprise Message Service was included within the product bundle. The current versions of these products have been updated to include the updated release of Enterprise Message Service 5.1.2.

Which components are affected?

ActiveMatrix products themselves are not affected.

ActiveMatrix products have an exposure through their bundled TIBCO Enterprise Message Service installation. The Enterprise Message Service installation is only at risk if the Enterprise Message Service server’s SmartSockets support has been explicitly enabled; by default SmartSockets support is disabled.

How should customers handle this issue?

Affected customers should either update to the latest versions of Enterprise Message Service (5.1.2), or ensure that the Enterprise Message Service server’s SmartSockets support is disabled. By default, SmartSockets support is disabled; customers are only affected if they have proactively enabled SmartSockets support.

Do I need to update my ActiveMatrix installations?

The ActiveMatrix product installations do not themselves need to be updated, however the bundled version of TIBCO Enterprise Message Service will need to be updated if its SmartSocket support is enabled. By default the Enterprise Message Service server is configured with its SmartSockets support disabled; this completely mitigates the security issue. If you have proactively enabled SmartSockets within the Enterprise Message Service server, you can either disable this function (as described above in the Enterprise Message Service FAQ), or update your Enterprise Message Service installation.

What if I cannot update Enterprise Message Service at this time?

Customers can completely mitigate the defect by disabling SmartSockets support in the Enterprise Message Service server. This is an administrative setting that can be updated without replacing the server by setting tibss_transports to disabled in the Enterprise Message Service server configuration file tibemsd.conf. The server must be restarted after the configuration file parameter has been changed. The default installation of Enterprise Message Service leaves SmartSockets support disabled.

---------------------