TIBCO takes its security responsibilities very seriously. This page provides information about TIBCO security and how customers or security researchers can contact TIBCO to report or ask about a security issue.
TIBCO Security Advisory: November 6, 2018 - TIBCO Enterprise Message Service
TIBCO Enterprise Message Service Vulnerable to CSRF Attacks
Original release date: November 6, 2018
Last revised: January 28, 2020
Source: TIBCO Software Inc.
- TIBCO Enterprise Message Service versions 8.4.0 and below
- TIBCO Enterprise Message Service - Community Edition versions 8.4.0 and below
- TIBCO Enterprise Message Service - Developer Edition versions 8.4.0 and below
The following component is affected:
- Central Administration server (emsca)
The component listed above contains a vulnerability which may allow an attacker to perform cross-site request forgery (CSRF) attacks.
In deployments of TIBCO Enterprise Message Service (EMS) that use the Central Administration server, the impact of this vulnerability includes the theoretical possibility of reconfiguring all EMS servers administered by the affected component. With such access, the attacker might also be able to gain access to all data sent via EMS.
CVSS v3 Base Score: 7.5 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
TIBCO has released updated versions of the affected systems which address this issue.
For each affected system, update to the corresponding software versions:
- TIBCO Enterprise Message Service versions 8.4.0 and below update to version 8.4.1 or higher
- TIBCO Enterprise Message Service - Community Edition versions 8.4.0 and below update to version 8.4.1 or higher
- TIBCO Enterprise Message Service - Developer Edition versions 8.4.0 and below update to version 8.4.1 or higher