TIBCO takes its security responsibilities very seriously. This page provides information about TIBCO security and how customers or security researchers can contact TIBCO to report or ask about a security issue.
TIBCO Security Advisory: October 10, 2018 - TIBCO Spotfire Statistics Services
TIBCO Spotfire Statistics Services remote execution vulnerabilities
Original release date: October 10, 2018
Last revised: --
Source: TIBCO Software Inc.
- TIBCO Spotfire Statistics Services versions 7.11.0 and below
The following components are affected:
- Web server
The component listed above contains multiple vulnerabilities that may allow the remote execution of code. Without needing to authenticate, an attacker may be able to remotely execute code with the permissions of the system account used to run the web server component.
The impact of this vulnerability includes the theoretical possibility of unrestricted remote access to the operating system account hosting the web server component.
CVSS v3 Base Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
TIBCO has released updated versions of the affected components which address these issues.
In addition to the updates, security related configuration changes may be required due to new defaults. Please review the documentation.
For each affected system, update to the corresponding software versions:
- TIBCO Spotfire Statistics Services versions 7.11.0 and below update to version 7.11.1 or higher