Public Notice

Apache Log4J Vulnerability Daily Update

05 January 2022

TIBCO continues to work on investigating and identifying mitigations for the series of Apache Log4J related vulnerabilities - CVE-2021-44228 (referred to as the “Log4Shell” vulnerability), CVE-2021-45046, CVE-2021-44832, and CVE-2021-45105. The table below contains the current status of these efforts. TIBCO continues to make the investigation and remediation of this vulnerability its top priority.

TIBCO is aware of CVE-2021-4104 and this issue was investigated as part of our response to CVE-2021-44228. It is addressed by Note 1 below.

TIBCO is aware of CVE-2019-17571 and is investigating.

TIBCO products not listed in the sections below are still under active investigation and information about them will be posted in upcoming updates.

TIBCO is monitoring and working with OEM third-party vendors on this issue and we will provide additional information as it becomes available on the effect of those vendor’s offerings on TIBCO products.

TIBCO will publish short-term remediation guidance as it becomes available. TIBCO will follow up this guidance with, if appropriate, a hotfix and ultimately an official release to address this vulnerability.

Here is the current status as of the publication time of this update.

 

Log4J CVE Status for TIBCO Products

(applies to versions that are currently in Standard Support)

New Products or status change not in previous updates are indicated by the product name in BOLD

Mitigations, Hotfixes and Service Packs are hotlinked in the product name.

Legend

✅ - Unaffected or remediate

🔍 - Under Investigation

 

TIBCO Product

CVE-2021-44228

CVE-2021-45046

CVE-2021-45105

CVE-2021-44832

TIBCO® distribution of Apache Pulsar version 2.7.4

Apply Mitigation

🔍

🔍

TIBCO® distribution of Apache Pulsar version 2.8.2

Apply Mitigation

🔍

🔍

TIBCO® distribution of Apache Pulsar version 2.9.1

Apply Mitigation

🔍

🔍

TIBCO ActiveMatrix® Service Grid Platform

See Note 1

See Note 1

See Note 1

TIBCO ActiveSpaces® version 2.x

See Note 1

See Note 1

See Note 1

TIBCO ActiveSpaces® version 4.x

TIBCO Apache Kafka® Distribution

TIBCO® API Exchange Gateway

TIBCO® API Exchange Manager

TIBCO® AuditSafe version 1.1 

TIBCO® BPM Enterprise 4.3.x product line (formerly known as TIBCO® ActiveMatrix BPM)

See Note 1

See Note 1

See Note 1

TIBCO® BPM Enterprise 5.2.1

TIBCO BusinessConnect™

TIBCO BusinessConnect™ Container Edition version 1.1

TIBCO BusinessConnect™ Trading Community Management

TIBCO BusinessEvents® versions 5.x and below

TIBCO BusinessEvents® Enterprise Edition versions 6.0.0 thru 6.2.0

Apply Mitigation

See Note 2

See Note 2

See Note 2

TIBCO BusinessEvents® Extreme

TIBCO BusinessWorks™ 5.14 (TRA 5.11.x and TIBCO Administrator™ 5.11.x) and prior versions

See Notes 1 and 2

See Notes 1 and 2

See Notes 1 and 2

See Notes 1 and 2

TIBCO BusinessWorks™ 5 version 5.15 (TRA 5.12 and TIBCO Administrator™ 5.12), TIBCO ActiveMatrix® Adapter for Database 7.3, TIBCO ActiveMatrix® Adapter for Files for Unix/Win 7.1, and TIBCO ActiveMatrix® Adapter for SAP 7.3

Apply Hotfix

Apply Hotfix

TIBCO BusinessWorks™ 5 adapters and plugins ecosystem

See Notes 1 and 2

See Notes 1 and 2

See Notes 1 and 2

See Notes 1 and 2

TIBCO BusinessWorks™ 6

See Notes 1 and 2

See Notes 1 and 2

See Notes 1 and 2

See Notes 1 and 2

TIBCO BusinessWorks™ 6 plugins ecosystem

See Notes 1 and 2

See Notes 1 and 2

See Notes 1 and 2

See Notes 1 and 2

TIBCO BusinessWorks™ Container Edition

See Notes 1 and 2

See Notes 1 and 2

See Notes 1 and 2

See Notes 1 and 2

TIBCO BusinessWorks™ Container Edition plugins ecosystem

See Notes 1 and 2

See Notes 1 and 2

See Notes 1 and 2

See Notes 1 and 2

TIBCO® Clarity – Cloud Edition

TIBCO Cloud™

       

    TIBCO Cloud™ API Management

    TIBCO Cloud™ AuditSafe

    TIBCO Cloud™ Data Streams

    TIBCO Cloud™ Events

    TIBCO Cloud™ Integration

    TIBCO Cloud™ Live Apps

    TIBCO Cloud™ Messaging

    TIBCO Cloud™ Metadata

    TIBCO Cloud™ Nimbus®

    TIBCO Cloud™ Spotfire®

TIBCO Cloud™ MDM

TIBCO Cloud™ API Management - Local Edition

TIBCO DataSynapse GridServer®

TIBCO DataSynapse™ High-Performance Computing Cloud Adapter

TIBCO® Data Migrator versions 8204 and below

TIBCO® Data Migrator Cloud

TIBCO® Data Science for TIBCO Spotfire® Analyst Version

TIBCO® Data Science Team Studio

TIBCO® Data Virtualization version 8.4.0 and below

See Note 1

See Note 1

See Note 1

See Note 1

TIBCO® Data Virtualization version 8.5.0

Apply Mitigation

Apply Mitigation

Apply Mitigation

Apply Mitigation

TIBCO EBX® versions 5.8.x thru 6.x

See Note 1

See Note 1 

See Note 1

See Note 1

TIBCO EBX® Addons 3.12.0 thru 5.2.0

Apply Hotfix

Apply Hotfix

Apply Hotfix

TIBCO EBX® Container Edition version 6.0.3

Apply Hotfix

Apply Hotfix

Apply Hotfix

TIBCO® Enterprise Administrator (TEA)

TIBCO Enterprise Message Service™

TIBCO Enterprise Message Service™ Appliance (EMSA)

TIBCO FOCUS®

TIBCO Flogo® Enterprise and all connectors

TIBCO Foresight® Archive and Retrieval System Standard and Healthcare Editions versions 5.0.0 thru 5.3.0

TIBCO Foresight® BI Bridge® - BAM Extract

Apply Hotfix

Apply Hotfix

🔍

TIBCO Foresight® Instream (Healthcare and Standard Editions) versions 8.8.0 thru 9.2.0

Apply Hotfix

Apply Hotfix

TIBCO Foresight® Operation Monitor Standard and Healthcare Editions versions 5.0.0 thru 5.3.0

TIBCO Foresight® Transaction Insight Standard and Healthcare Editions versions 5.0.0 thru 5.3.0

TIBCO Foresight® Translator (Healthcare and Standard Editions) versions 3.8.0 thru 4.1.0

Apply Hotfix

Apply Hotfix

TIBCO FTL® and eFTL

TIBCO® Fulfillment Catalog Software versions 3.0.0 thru 4.1.0

TIBCO® Fulfillment Order Management 4.0.2

Apply Hotfix

Apply Hotfix

Apply Hotfix

Apply Hotfix

TIBCO® Fulfillment Provisioning

See Note 1

See Note 1 

See Note 1

See Note 1

TIBCO® Fulfillment Subscriber Inventory

See Note 1

See Note 1 

See Note 1

See Note 1

TIBCO® GeoAnalytics

TIBCO® Graph Database

TIBCO Hawk® version 6.2.1 and below

TIBCO iProcess® version 11.7.0 and below

TIBCO iProcess® Engine (Oracle, SQL, DB2) 11.8.x, TIBCO iProcess® Workspace (Windows, Browser, Plug-ins ) 11.8.x, TIBCO iProcess® Technology Plug-ins 11.8.x , TIBCO iProcess® Web Services (Server Plug-in, Client Plug-in) 11.8.x

Apply Mitigation

Apply Mitigation

Apply Mitigation

Apply Mitigation

TIBCO iWay® Service Manager

TIBCO iWay® Service Manager Cloud

TIBCO Jaspersoft® ETL 7.3.1

Apply Mitigation

Apply Mitigation

Apply Mitigation

TIBCO Jaspersoft® ETL Administration Center 7.3.1

Apply Mitigation

Apply Mitigation

Apply Mitigation

TIBCO JasperReports® Library

TIBCO JasperReports® Server 7.5.1, 7.8.0, 7.9.0, and 8.0.0

Apply Hotfix

Apply Hotfix

TIBCO LABS™ Project Discover

TIBCO Loglogic® Log Management Intelligence and Enterprise Virtual Appliance versions 6.3.0 and below

TIBCO Loglogic® Log Management Intelligence and Enterprise Virtual Appliance version 6.3.1

Apply Mitigation

Apply Mitigation

Apply Mitigation

Apply Mitigation

TIBCO LogLogic® Universal Collector

TIBCO® Managed File Transfer Command Center and TIBCO® Managed File Transfer Internet Server

Note: No TIBCO® Managed File Transfer Platform Server utilizes Apache Log4J, and none are vulnerable to this issue. Specifically the following Platform Servers:

  • TIBCO® Managed File Transfer Platform Server for Windows
  • TIBCO® Managed File Transfer Platform Server for Unix
  • TIBCO® Managed File Transfer Platform Server for z/Linux
  • TIBCO® Managed File Transfer Platform Server for z/OS
  • TIBCO® Managed File Transfer Platform Server for IBMi

Apply Mitigation

Apply Mitigation

Apply Mitigation

TIBCO® Messaging - Eclipse Mosquito Distribution

TIBCO® MDM version 9.3.0 and below

TIBCO® MDM Studio

TIBCO® ModelOps

TIBCO Nimbus®

TIBCO Nimbus® Service

TIBCO® Offer and Price Engine version 5.0.0

Apply Mitigation

Apply Mitigation

Apply Mitigation

Apply Mitigation

TIBCO Omni-Gen®, TIBCO Omni-Gen® MDM, TIBCO Omni-HealthData®, TIBCO Omni-Insurance™ versions 3.16 and higher

Apply Hotfix

Apply Hotfix

Apply Hotfix

Apply Hotfix

TIBCO Omni-Gen® Cloud

TIBCO Omni-Gen® MDM Cloud

TIBCO Omni-HealthData® Cloud

TIBCO® OpenSpirit

TIBCO® Operational Intelligence Agent

TIBCO® Order Management

Apply Mitigation

Apply Mitigation

Apply Mitigation

Apply Mitigation

TIBCO® Order Management - Long Running 5.0.0

Apply Hotfix

Apply Hotfix

Apply Hotfix

Apply Hotfix

TIBCO PartnerExpress™

TIBCO® Patterns - Search version 5.5.0 and below

TIBCO® Patterns - Search version 5.6.0 thru 5.7.0

Apply Hotfix

Apply Hotfix

Apply Hotfix

Apply Hotfix

TIBCO® Product and Service Catalog

TIBCO Rendezvous® version 8.5.1 and above

TIBCO Scribe® Insight

TIBCO Scribe® Online

TIBCO Silver® Fabric

TIBCO Spotfire® Analyst

TIBCO Spotfire® Automation Services

TIBCO Spotfire® Business Author

TIBCO Spotfire® Cloud Enterprise

TIBCO Spotfire® Consumer

TIBCO Spotfire® Data Streams

TIBCO Spotfire® Desktop

TIBCO Spotfire® Qualification

TIBCO Spotfire® Server, TIBCO Spotfire® Statistics Services, TIBCO Spotfire® Service for Python, TIBCO® Enterprise Runtime for R - Server Edition

Apply Service Pack or Mitigation

Apply Service Pack or Mitigation

Apply Service Pack or Mitigation

Apply Service Pack or Mitigation

TIBCO Statistica®

TIBCO Statistica® Service for Spotfire® Server versions 13.6, 14.0, and V140HFS02-Spotfire

Apply Hotfix or Mitigation

Apply Hotfix or Mitigation

Apply Hotfix or Mitigation

Apply Hotfix or Mitigation

TIBCO® Streaming

See Note 2

See Note 2

See Note 2

TIBCO WebFOCUS® Legacy Releases

TIBCO WebFOCUS® App Studio

TIBCO WebFOCUS® Cloud

TIBCO WebFOCUS®, TIBCO WebFOCUS® Reporting Server, and TIBCO Data Migrator 8207.27.0 to 8207.28.05 Hotfixes

Apply Hotfix

Apply Hotfix

Apply Hotfix

Apply Hotfix

tibbr®

 

Notes:

  1. If a customer has implemented the JMSAppender class for plugins they have written they should check to make sure they don’t expose this vulnerability. For more details see: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301
  2. If a customer has developed their own java code or installed 3rd party libraries they should check to make sure they don't expose this vulnerability. This applies to BW5, BW6, BWCE, and the plugin ecosystems.