Apache Log4J Vulnerability Daily Update 

TIBCO continues to work on investigating and identifying mitigations for the Apache Log4J vulnerability (CVE-2021-44228), referred to as the “Log4Shell” vulnerability. The sections below contain the current status of these efforts. TIBCO continues to make the investigation and remediation of this vulnerability its top priority.

Here is the current status as of the publication time of this update.

CLARIFICATIONS FROM PREVIOUS UPDATES

• TIBCO® BPM Enterprise 4.3.x product line (formerly known as TIBCO® ActiveMatrix BPM) is not vulnerable to this issue, however if a customer has implemented the JMSAppender class they should check to make sure they don’t expose this vulnerability. For more details see https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301
  • TIBCO continues to investigate TIBCO® BPM Enterprise 5.x.
• TIBCO BusinessWorks™ 5.14.0 (TRA 5.11.x) and prior are not vulnerable to this issue, however if a customer has implemented the JMSAppender class they should check to make sure they don’t expose this vulnerability. For more details see - https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301
  • TIBCO BusinessWorks™ 5 version 5.15.0 (TRA 5.12.0) is still under investigation.
  • TIBCO is still investigating the BusinessWorks 5 ecosystem that depends on BusinessWorks 5.15.0 (TRA 5.12.0).

TIBCO products whose current standard support versions either do not use Apache Log4J or are not on an affected version of Log4J:

(new information from previous updates is in bold)

• TIBCO ActiveMatrix® Service Grid Platform
• TIBCO ActiveSpaces® version 4.x
• TIBCO Apache Kafka Distribution
• TIBCO® API Exchange Gateway
• TIBCO® BPM Enterprise 4.3.x (formerly known as TIBCO® ActiveMatrix BPM) (see update above)
• TIBCO BusinessWorks™ 5 (see update above)
• TIBCO BusinessWorks 6 Runtime version 6.8.0 and previous versions
  • TIBCO is still investigating the remainder of the BusinessWorks 6 ecosystem
  • If a customer has implemented the JMSAppender class for plugins they have written they should check to make sure they don’t expose this vulnerability. For more details see - https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301
• TIBCO BusinessWorks Container Edition Runtime version 2.7.0 and previous versions
  • TIBCO is still investigating the remainder of the BusinessWorks 2.7.0 Container Edition ecosystem
  • If a customer has implemented the JMSAppender class for plugins they have written they should check to make sure they don’t expose this vulnerability. For more details see - https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301
• TIBCO Data Science for TIBCO Spotfire Analyst Version
• TIBCO Enterprise Message Service™ 
• TIBCO Enterprise Message Service™ Appliance (EMSA)
• TIBCO Flogo® Enterprise and all connectors
• TIBCO FTL® and eFTL
• TIBCO® Graph Database
• TIBCO® GeoAnalytics
• TIBCO LABS™ Project Discover
• TIBCO Rendezvous® version 8.5.1 and above
• TIBCO Scribe® Insight
• TIBCO Scribe® Online
• TIBCO Statistica

TIBCO products that have remediation documentation available:

• TIBCO Apache Pulsar Distribution
• TIBCO Managed File Transfer (MFT) Command Center and Internet Server
  • All MFT Platform Servers do not utilize Apache Log4J and are not vulnerable to this issue. Specifically the following Platform Servers:
    • Managed File Transfer Platform Server for Windows
    • Managed File Transfer Platform Server for Unix
    • Managed File Transfer Platform Server for z/Linux
    • Managed File Transfer Platform Server for z/OS
    • Managed File Transfer Platform Server for IBMi
• TIBCO Spotfire Server 10.3 and higher, TIBCO Spotfire Statistics Services 10.3 and higher, TIBCO Spotfire Service for Python All, TIBCO Enterprise Runtime for R - Server Edition All