TIBCO takes its security responsibilities very seriously. This page provides information about TIBCO security and how customers or security researchers can contact TIBCO to report or ask about a security issue.
TIBCO Security Advisory: January 13, 2010 - TIBCO Runtime Agent™
TIBCO Runtime Agent™ vulnerability
Original release date: Jan 13, 2010
Last revised: --
Source: TIBCO Software Inc.
TIBCO Runtime Agent components listed above create TIBCO domain properties files with weak permissions. This may expose TIBCO domain administrator credentials to untrusted parties.
TIBCO has released an update which addresses this issue. TIBCO strongly recommends sites running the affected components to install the update and take corrective action as described below.
- TIBCO Runtime Agent (TRA) versions below 5.6.2
The following components are affected:
* TIBCO Domain Utility (domainutility and domainutilitycmd)
An attacker local to any system participating in a TIBCO domain could access the credentials of the administrator of the TIBCO domain. With these credentials, the attacker can then execute arbitrary code on any system that is a participant in the TIBCO domain.
Change permissions on all existing TIBCO domain properties files to prevent access by untrusted users.
Upgrade TIBCO Runtime Agent to version 5.6.2 or above. If an upgrade is not possible at this time, explicitly set permissions on any newly created TIBCO domain properties files until such time as an upgrade can be done.