TIBCO Security Advisory: May 18, 2011 - TIBCO iProcess
The TIBCO iProcess components listed above contain critical vulnerabilities in the processing of inbound HTTP requests:
CVE-2011-2020 - A cross-site scripting vulnerability exists which may allow an attacker to view or modify information in the database.
CVE-2011-2021 - A session fixation vulnerability exists which may allow an attacker to hijack a web session from another user.
TIBCO has released updated versions of the affected software products which address these issues. TIBCO strongly recommends sites running the affected components install the applicable update or take corrective action as described below.
- TIBCO iProcess Engine below 11.1.3
- TIBCO iProcess Workspace (Browser) versions below 11.3.1
The following components are affected:
- TIBCO iProcess Engine Server Manager
- TIBCO iProcess Action Processor
- TIBCO iProcess Workspace (Browser) Client
- TIBCO iProcess Web Client Components (WCC)
The impact of these vulnerabilities may include information modification, information disclosure, and denial of service.
For each affected system, update to the corresponding software versions:
- TIBCO iProcess Engine version 11.1.3 or higher
- TIBCO iProcess Workspace (Browser) version 11.3.1 or higher
This is strongly recommended.
If an upgrade is not possible, the following actions can mitigate the vulnerability:
- Utilize a firewall to restrict access to the TIBCO iProcess components.