TIBCO Security Advisory: February 1, 2011 - TIBCO Rendezvous and Enterprise Message Service

Frequently Asked Questions

General FAQ

Why is this advisory being issued?

Security vulnerabilities have been discovered in:

  • TIBCO Rendezvous® versions 8.2.1 through 8.3.0
  • TIBCO Enterprise Message™ Service versions 5.1.0 through 6.0.0
  • TIBCO Runtime Agent™ versions 5.6.2 through 5.7.0
  • TIBCO Silver™ BPM Service versions below 1.0.4
  • TIBCO Silver™ CAP Service versions below 1.0.2
  • TIBCO Silver BusinessWorks™ Service version 1.0.0

What is the impact of the vulnerability?

On Unix-based systems a successful attack will result in a privilege escalation to root, granting the attacker full administrative control of the host. For details, please see the security advisory.

Is this vulnerability remotely exploitable?

No – this is a local host only exploit; an attacker must have access to the local host to exploit this vulnerability.

Which customers are affected?

These issues affect all customers using the above product versions.

Where can I get software updates?

Customers with current maintenance can obtain product updates through their standard TIBCO fulfillment channel.

How will customers who receive TIBCO software via OEM partners be affected?

Customers of OEM partners can receive new versions and bundles from their OEM partners. Please contact your OEM partner for updates.

Can I get the software update if I am not current on maintenance? What if I don’t have access to the download site or to TIBCO Support?

Please contact TIBCO Support by telephone. Please reference SR:1-BJDDG7 in your communication to indicate the context of your request.

What is TIBCO doing to prevent future security issues?

TIBCO takes security very seriously. We perform rigorous testing for every product release, as well as code audits, structured walkthroughs and peer reviews. TIBCO has identified security vulnerabilities in products during internal testing and reviews and corrected them prior to release. TIBCO constantly evaluates and augments its security measures and will continue to do so.

Where can I get more information?

Product advisories can be accessed from the Security Advisories for TIBCO Products web page.

Customers with a current maintenance contract with TIBCO can log a service request with TIBCO Global Support (please refer to the service request identifiers listed above) and then call your support telephone number. Maintenance customers can also view product-specific Late Breaking News through the TIBCO Support Web.

TIBCO Rendezvous FAQ

Which product versions are affected?

  • TIBCO Rendezvous® versions 8.2.1 through 8.3.0 (Unix-based platforms only)

Is TIBCO Rendezvous on non-Unix platforms affected?

No, TIBCO Rendezvous on Microsoft Windows, IBM i and other non-Unix platforms is not affected.

Are TIBCO Rendezvous® for z/OS or TIBCO Substation ES™ affected?

No, neither TIBCO Rendezvous for z/OS or TIBCO Substation ES are vulnerable.

What components are affected?

  • TIBCO Rendezvous Routing Daemon (rvrd)
  • TIBCO Rendezvous Secure Daemon (rvsd)
  • TIBCO Rendezvous Secure Routing Daemon (rvsrd)

Are other TIBCO Rendezvous daemons (rvd, rvrad and rvcache) or the TIBCO Rendezvous® In-Process Module vulnerable?

No, these daemons and the TIBCO Rendezvous In-Process Module are not vulnerable.

How should customers handle these issues?

For each affected system, customers should update to:

  • TIBCO Rendezvous 8.3.1 or higher

Once updated software has been installed, customers should restart their TIBCO Rendezvous daemons.

What is updated by this new product version?

The new product version contains a complete installation. Please see the product README, release notes and/or documentation for a complete list of changes.

Do I need to recompile or re-link my TIBCO Rendezvous applications?

TIBCO Rendezvous applications do not need to be recompiled or re-linked; the vulnerability is limited to the specified TIBCO Rendezvous daemons (rvrd, rvsd, and rvsrd).

What if I cannot update my affected TIBCO products at this time?

Customers can completely mitigate the vulnerability by disabling SUID rights for the affected components.

Which TIBCO products include TIBCO Rendezvous?

Products that include TIBCO Rendezvous with their download may do so directly, or indirectly by way of TIBCO Runtime Agent. Please see the TIBCO Runtime Agent FAQs for a list of products that include Rendezvous indirectly. Products that include TIBCO Rendezvous directly with their download include:

  • TIBCO ActiveSpaces® Enterprise Edition
  • TIBCO Hawk®
  • TIBCO Rendezvous® Client
  • TIBCO Rendezvous® Enterprise Daemon
  • TIBCO Rendezvous® Network Analysis Kit
  • TIBCO Rendezvous® Standard Daemon

TIBCO Enterprise Message Service FAQ

Which product versions are affected?

  • TIBCO Enterprise Message Service versions 5.1.0 through 6.0.0 (Unix-based platforms only)

Are non-Unix platforms affected?

No, only Unix platforms are affected.

What components are affected?

  • TIBCO Enterprise Message Service server (tibemsd)

How should customers handle these issues?

For each affected system, customers should update to:

  • TIBCO Enterprise Message Service 6.0.1 or higher

Once updated software has been installed, customers should restart their TIBCO Enterprise Message Service servers.

What is updated by this new product version?

The new product version contains a complete installation. Please see the product README, release notes and/or documentation for a complete list of changes.

Do I need to recompile or re-link my TIBCO Enterprise Message Service applications?

TIBCO Enterprise Message Service applications do not need to be recompiled or re-linked; the vulnerability is limited to the TIBCO Enterprise Message Service server (tibemsd).

What if I cannot update my affected TIBCO products at this time?

Customers can completely mitigate the vulnerability by disabling SUID rights for the affected components.

Which TIBCO products include TIBCO Enterprise Message Service?

Products that include TIBCO Enterprise Message Service with their download include:

  • TIBCO ActiveMatrix® BPM
  • TIBCO ActiveMatrix BusinessWorks™
  • TIBCO ActiveMatrix® Service Bus
  • TIBCO ActiveMatrix® Service Grid
  • TIBCO ActiveMatrix® Service Performance Manager
  • TIBCO Enterprise Message Service™
  • TIBCO iProcess™ Engine

TIBCO Runtime Agent FAQ

Which product versions are affected?

  • TIBCO Runtime Agent™ versions 5.6.2 through 5.7.0 (Unix-based platforms only)

Are non-Unix platforms affected?

No, only Unix-based platforms are affected.

What components are affected?

The TIBCO Rendezvous release delivered in these versions of TIBCO Runtime Agent includes these vulnerable components:

  • • TIBCO Rendezvous Routing Daemon (rvrd)
  • • TIBCO Rendezvous Secure Daemon (rvsd)
  • • TIBCO Rendezvous Secure Routing Daemon (rvsrd)

How should customers handle these issues?

For each affected system, customers should update to:

  • TIBCO Runtime Agent 5.7.1 or higher

Once updated software has been installed, customers should restart their TIBCO Rendezvous daemons.

What is updated by this new product version?

The new product version contains a complete installation. Please see the product README, release notes and/or documentation for a complete list of changes.

Please note that starting with this release of TIBCO Runtime Agent, TIBCO Rendezvous will be delivered as a separate installation. TIBCO Rendezvous can be installed prior to, or in conjunction with, installation of TIBCO Runtime Agent. Please see the TIBCO Runtime Agent documentation for details.

Do I need to recompile or re-link my TIBCO Rendezvous applications?

TIBCO Rendezvous applications do not need to be recompiled or re-linked; the vulnerability is limited to the specified TIBCO Rendezvous daemons (rvrd, rvsd, and rvsrd).

What if I cannot update my affected TIBCO products at this time?

Customers can completely mitigate the vulnerability by disabling SUID rights for the affected components.

Which TIBCO products include TIBCO Runtime Agent?

Products that include TIBCO Runtime Agent with their download include:

  • TIBCO® ActiveFulfillment
  • TIBCO ActiveMatrix® Adapter for Database
  • TIBCO ActiveMatrix® Adapter for Files (Unix/Win)
  • TIBCO ActiveMatrix® Adapter for IBM i
  • TIBCO ActiveMatrix® Adapter for Kenan/BP
  • TIBCO ActiveMatrix® Adapter for LDAP
  • TIBCO ActiveMatrix® Adapter for Lotus Notes
  • TIBCO ActiveMatrix® Adapter for PeopleSoft
  • TIBCO ActiveMatrix® Adapter for SAP
  • TIBCO ActiveMatrix® Adapter for Siebel
  • TIBCO ActiveMatrix® Adapter for Tuxedo
  • TIBCO ActiveMatrix® Adapter for WebSphere MQ
  • TIBCO ActiveMatrix BusinessWorks™
  • TIBCO® Adapter for CICS
  • TIBCO® Adapter for Clarify
  • TIBCO® Adapter for COM
  • TIBCO® Adapter for CORBA
  • TIBCO® Adapter for EJB
  • TIBCO® Adapter for Infranet
  • TIBCO® Adapter for JDE OneWorld Xe
  • TIBCO® Adapter for Oracle Applications
  • TIBCO® Adapter for Remedy
  • TIBCO® Adapter for SWIFT
  • TIBCO® Adapter for Teradata
  • TIBCO® Adapter SDK
  • TIBCO BusinessConnect™
  • TIBCO BusinessFactor®
  • TIBCO BusinessWorks™ SmartMapper Enterprise Server
  • TIBCO Enterprise Management Advisor™
  • TIBCO Hawk®
  • TIBCO iProcess™ Bundle
  • TIBCO iProcess™ Insight
  • TIBCO PortalBuilder®
  • TIBCO RFID Interchange™
  • TIBCO® SOA Integration Bundle

Do I need to take additional steps to use the updated TIBCO Runtime Agent and TIBCO Rendezvous with TIBCO ActiveMatrix®?

Yes. The following TIBCO ActiveMatrix products must be updated with the TIBCO Rendezvous® Updater for ActiveMatrix® to make them compatible with an update of TIBCO Rendezvous:

  • TIBCO ActiveMatrix BPM
  • TIBCO ActiveMatrix BusinessWorks*
  • TIBCO ActiveMatrix Service Bus
  • TIBCO ActiveMatrix Service Grid

* Note that this compatibility update step is only required for TIBCO ActiveMatrix BusinessWorks™ Service Engine. Installations of the classic TIBCO ActiveMatrix BusinessWorks do not require this compatibility update step.

How do I update TIBCO ActiveMatrix products to be compatible with the update of TIBCO Rendezvous?

TIBCO Rendezvous® Updater for ActiveMatrix® 1.0.0 is now supplied with each of the ActiveMatrix products listed above. This tool will update your ActiveMatrix installation to make it compatible with an updated installation of TIBCO Rendezvous. Please see the README delivered with the TIBCO Rendezvous Updater for ActiveMatrix for detailed usage instructions.

What is updated by the TIBCO Rendezvous Updater for ActiveMatrix?

The TIBCO Rendezvous Updater for ActiveMatrix updates the TIBCO Rendezvous® Java client library used by the named TIBCO ActiveMatrix products. The Java client library is copied from your updated TIBCO Rendezvous installation into your TIBCO ActiveMatrix installation.

Why isn't TIBCO BusinessEvents® listed as a product that includes TIBCO Runtime Agent?

TIBCO Runtime Agent was removed from TIBCO BusinessEvents as of version 4.0.0.

How should TIBCO BusinessEvents customers handle this issue?

Customers using versions of TIBCO BusinessEvents earlier than 4.0.0 can mitigate the current vulnerabilities by upgrading to TIBCO BusinessEvents version 4.0.0 or later, or by following the mitigation instructions provided for TIBCO Rendezvous.

TIBCO Silver BPM Service FAQ

Which product versions are affected?

  • TIBCO Silver BPM Service versions below 1.0.4

What components are affected?

The TIBCO Enterprise Message Service and TIBCO Rendezvous releases included in these versions of TIBCO Silver BPM Service include these vulnerable components:

  • TIBCO Enterprise Message Service server (tibemsd)

How should customers handle these issues?

For each affected system, customers should update to:

  • TIBCO Silver BPM Service 1.0.4 or higher

Customers should use TIBCO Silver™ Center to enable access to the new software version, stop instances of older versions, and create instances of the new version.

What is updated by this new product version?

The new product version contains a complete installation. Please see the product README, release notes and/or documentation for a complete list of changes.

What if I cannot update my affected TIBCO products at this time?

Customers can completely mitigate the vulnerability by disabling SUID rights for the affected components.

TIBCO Silver CAP Service FAQ

Which product versions are affected?

  • TIBCO Silver™ CAP Service versions below 1.0.2

What components are affected?

The TIBCO Enterprise Message Service and TIBCO Rendezvous releases delivered in these versions of TIBCO Silver CAP Service include these vulnerable components:

  • TIBCO Enterprise Message Service server (tibemsd)

How should customers handle these issues?

For each affected system, customers should update to:

  • TIBCO Silver CAP Service 1.0.2 or higher

Customers should use TIBCO Silver™ Center to enable access to the new software version, stop instances of older versions, and create instances of the new version.

What is updated by this new product version?

The new product version contains a complete installation. Please see the product README, release notes and/or documentation for a complete list of changes.

What if I cannot update my affected TIBCO products at this time?

Customers can completely mitigate the vulnerability by disabling SUID rights for the affected components.

TIBCO Silver BusinessWorks Service FAQ

Which product versions are affected?

  • TIBCO Silver BusinessWorks™ Service version 1.0.0

What components are affected?

The TIBCO Enterprise Message Service and TIBCO Rendezvous releases delivered in this version of TIBCO Silver BusinessWorks Service include these vulnerable components:

  • TIBCO Enterprise Message Service server (tibemsd)
  • TIBCO Rendezvous Routing Daemon (rvrd)
  • TIBCO Rendezvous Secure Daemon (rvsd)
  • TIBCO Rendezvous Secure Routing Daemon (rvsrd)

How should customers handle these issues?

For each affected system, customers should update to:

  • TIBCO Silver BusinessWorks Service 1.0.1 or higher

Customers should use TIBCO Silver™ Center to enable access to the new software version, stop instances of older versions, and create instances of the new version.

What is updated by this new product version?

The new product version contains a complete installation. Please see the product README, release notes and/or documentation for a complete list of changes.

What if I cannot update my affected TIBCO products at this time?

Customers can completely mitigate the vulnerability by disabling SUID rights for the affected components.

---------------------