Security vulnerabilities have been discovered in:
TIBCO Runtime Agent is bundled with numerous TIBCO products, as detailed below.
The vulnerability could allow an attacker local to any system participating in a TIBCO domain to access the credentials of the administrator of the TIBCO domain. With these credentials, an attacker can then execute arbitrary code on any system that is a participant in the TIBCO domain. For details, please see the product advisory accessible from http:/services/support/advisories.
These issues may affect customers who utilize TIBCO Runtime Agent for domain administrator credentials. The specific impact, solution and mitigation possibilities are detailed in individual FAQs below.
Customers with current maintenance can obtain product updates at http://download.tibco.com.
Customers of OEM partners can receive new versions and bundles from their OEM partners. Please contact your OEM partner for updates.
Please contact TIBCO Support by telephone. Please reference SR_ID:1-AGVV71 in your communication to indicate the context of your request.
TIBCO takes security very seriously. We perform rigorous testing for every product release, as well as code audits, structured walkthroughs and peer reviews. TIBCO has identified security vulnerabilities in products during internal testing and reviews and corrected them prior to release. TIBCO constantly evaluates and augments its security measures and will continue to do so.
Customers with a current maintenance contract with TIBCO can log a service request with TIBCO Global Support (please refer to SR_ID:1-AGVV71) and then call your support telephone number. Maintenance customers can also view product-specific Late Breaking News (LBN1-AGVV8E) through the TIBCO Support Web.
All versions prior to 5.6.2.
The TIBCO Runtime Agent domain utilities (domainutility and domainutilitycmd) and the domain properties files that they create (AdministrationDomain.properties and AuthorizationDomain.properties).
TIBCO Runtime Agent 5.6.2 installs new versions of domainutility and domainutilitycmd, and updates several other components. Please see the product release notes for details.
Affected customers should update to the latest version of TIBCO Runtime Agent (5.6.2), available at http://download.tibco.com to customers with current maintenance for the product.
The TIBCO Runtime Agent's new domain utilities will correctly protect the properties files (and thus the domain administrator credentials) of any newly created domains.
Customers must manually update any existing domains by removing general read access to the properties files. A full description of this process and a sample script can be found in the product release notes.
Customers not able to update TIBCO Runtime Agent at this time can secure their domain administrator credentials by manually protecting the specified properties files of any existing domains, as well as any newly created domains.
Products that include TIBCO Runtime Agent with their download include:
Enterprise Management Advisor™ is based on an earlier version (5.3.0) of TIBCO Runtime Agent, and is not compatible with TIBCO Runtime Agent 5.6.2.
Customers can secure their domain administrator credentials by manually protecting the specified properties files of any existing domains, as well as any newly created domains.