TIBCO takes its security responsibilities very seriously. This page provides information about TIBCO security and how customers or security researchers can contact TIBCO to report or ask about a security issue.
TIBCO Security Advisory: April 9, 2019 - TIBCO ActiveMatrix BusinessWorks
TIBCO ActiveMatrix BusinessWorks Fails To Properly Enforce Authentication
Original release date: April 9, 2019
Source: TIBCO Software Inc.
- TIBCO ActiveMatrix BusinessWorks versions 6.4.2 and below
The following component is affected:
- HTTP Connector
The component listed above contains a vulnerability that theoretically allows unauthenticated HTTP requests to be processed by the BusinessWorks engine even when authentication is required. This possibility is restricted to circumstances where HTTP "Basic Authentication" policy is used in conjunction with an XML Authentication resource. The BusinessWorks engine might instead use credentials from a prior HTTP request for authorization purposes.
The impact of this vulnerability includes the possibility of a malicious HTTP client successfully executing HTTP requests without authenticating. This possibility is restricted to circumstances where HTTP basic authentication is used in conjunction with an XML Authentication resource.
CVSS v3 Base Score: 9.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
TIBCO has released updated versions of the affected systems which address these issues.
- TIBCO ActiveMatrix BusinessWorks versions 6.4.2 and below update to 6.5.0 or higher