TIBCO takes its security responsibilities very seriously. This page provides information about TIBCO security and how customers or security researchers can contact TIBCO to report or ask about a security issue.
TIBCO Security Advisory: August 18, 2020 - TIBCO Data Virtualization
TIBCO Data Virtualization
Original release date: August 18, 2020
Last revised: September 16, 2020
Source: TIBCO Software Inc.
- TIBCO Data Virtualization versions 7.0.8 and below
- TIBCO Data Virtualization versions 8.0.0, 8.1.0, 8.1.1, and 8.2.0
- TIBCO Data Virtualization for AWS Marketplace versions 8.2.0 and below
The following component is affected:
- TIBCO Data Virtualization Server
The component listed above contains a vulnerability that theoretically allows a malicious authenticated user to download any arbitrary file from the affected system. The user must be authenticated and have privileges required to monitor the server in an operational capacity.
The impact of these vulnerabilities includes the theoretical possibility that a malicious user could exfiltrate any data file on the affected system. The malicious user cannot modify or delete any files on the affected system with this vulnerability.
CVSS v3 Base Score: 5.3 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)
TIBCO has released updated versions of the affected systems which address this issue:
- TIBCO Data Virtualization versions 7.0.8 and below update to version 7.0.9 or higher
- TIBCO Data Virtualization versions 8.0.0, 8.1.0, 8.1.1, and 8.2.0 update to version 8.3.0 or higher
- TIBCO Data Virtualization for AWS Marketplace versions 8.2.0 and below update to version 8.3.0 or higher
TIBCO would like to extend its appreciation to the Lockheed Martin Blue Team for discovery of this vulnerability.