Security at TIBCO

Security@TIBCO

TIBCO takes its security responsibilities very seriously. This page provides information about TIBCO security and how customers or security researchers can contact TIBCO to report or ask about a security issue.

Security at TIBCO

Public Notice

Apache Log4J Vulnerability Daily Update

14 December 2021

TIBCO continues to work on investigating and identifying mitigations for the Apache Log4J vulnerability (CVE-2021-44228), referred to as the “Log4Shell” vulnerability. The sections below contain the current status of these efforts. TIBCO continues to make the investigation and remediation of this vulnerability its top priority.

TIBCO is aware of the latest Apache Log4J CVE (CVE-2021-45046) and is tracking and actively evaluating it.

TIBCO products and versions not listed in the sections below are still under active investigation and information about them will be posted in upcoming updates.

TIBCO will publish short-term remediation guidance as it becomes available. TIBCO will follow up this guidance with, if appropriate, a hotfix and ultimately an official release to address this vulnerability.

Here is the current status as of the publication time of this update.

CLARIFICATIONS FROM PREVIOUS UPDATES

  • TIBCO BusinessEvents® versions 5.x and below are not vulnerable. However, version 6.x is vulnerable, with remediation documentation below.

 

TIBCO products whose current standard support versions either do not use Apache Log4J or are not on an affected version of Log4J:

(new information from previous updates is in bold)

  • TIBCO ActiveMatrix® Service Grid Platform
    • See Note 1 below
  • TIBCO ActiveSpaces® version 4.x
  • TIBCO Apache Kafka® Distribution
  • TIBCO® API Exchange Gateway
  • TIBCO® API Exchange Manager
  • TIBCO® BPM Enterprise 4.3.x product line (formerly known as TIBCO® ActiveMatrix BPM)
    • See Note 1 below
  • TIBCO ActiveMatrix BusinessWorks™ Plug-in for MDM
  • TIBCO BusinessConnect™
  • TIBCO BusinessConnect™ Trading Community Management
  • TIBCO BusinessEvents® versions 5.x and below
  • TIBCO BusinessWorks™ 5.14.0 (TRA 5.11.x) and prior version
    • See Note 1 below
    • TIBCO BusinessWorks™ 5 version 5.15.0 (TRA 5.12.0) is still under investigation.
    • TIBCO is still investigating the BusinessWorks 5 ecosystem that depends on BusinessWorks 5.15.0 (TRA 5.12.0).
  • TIBCO BusinessWorks™ 6 Runtime version 6.8.0 and previous versions
    • TIBCO is still investigating the remainder of the TIBCO BusinessWorks 6 ecosystem
    • See Note 1 below
  • TIBCO BusinessWorks Container Edition Runtime version 2.7.0 and previous versions
    • TIBCO is still investigating the remainder of the TIBCO BusinessWorks 2.7.0 Container Edition ecosystem
    • See Note 1 below
  • TIBCO BusinessWorks™ Mainframe adapters and plugins
  • TIBCO BusinessWorks™ Workflow Additional Process Engine
  • TIBCO Cloud™ API Management - Local Edition
  • TIBCO Cloud™ Data Streams
  • TIBCO® Data Migrator versions 8204 and below
  • TIBCO® Data Science for TIBCO Spotfire® Analyst Version
  • TIBCO DataSynapse™ High-Performance Computing Cloud Adapter
  • TIBCO® Data Virtualization version 8.4.0 and below
  • TIBCO® Enterprise Administrator (TEA)
  • TIBCO Enterprise Message Service
  • TIBCO Enterprise Message Service Appliance (EMSA)
  • TIBCO FOCUS® 
  • TIBCO Flogo® Enterprise and all connectors
  • TIBCO Foresight® Archive and Retrieval System Standard and Healthcare Editions versions 5.0.0 thru 5.3.0
  • TIBCO Foresight® Operation Monitor Standard and Healthcare Editions versions 5.0.0 thru 5.3.0
  • TIBCO Foresight® Transaction Insight Standard and Healthcare Editions versions 5.0.0 thru 5.3.0
  • TIBCO FTL® and eFTL
  • TIBCO® Fulfillment Catalog Software versions 3.0.0 thru 4.1.0
  • TIBCO® Fulfillment Provisioning
    • See Note 1 below
  • TIBCO® GeoAnalytics
  • TIBCO® Graph Database
  • TIBCO GridServer®
  • TIBCO Hawk® version 6 and below
  • TIBCO iProcess® version 11.7.0 and below
  • TIBCO iWay® Service Manager
  • TIBCO LABS™ Project Discover
  • TIBCO® Messaging - Eclipse Mosquito Distribution
  • TIBCO® ModelOps
  • TIBCO® OpenSpirit
  • TIBCO PartnerExpress™
  • TIBCO® Product and Service Catalog
  • TIBCO Rendezvous® version 8.5.1 and above
  • TIBCO Scribe® Insight
  • TIBCO Scribe® Online
  • TIBCO Spotfire® Data Streams
  • TIBCO Statistica®
    • TIBCO is still investigating the TIBCO Statistica Service for Spotfire version 13.6, Version 14 
  • TIBCO® Streaming
  • TIBCO WebFOCUS® versions 8204 and below
  • TIBCO WebFOCUS® App Studio

TIBCO is monitoring and working with it’s third-party vendors on this issue and we will provide additional information as it becomes available on the effect of those vendor’s offerings on TIBCO products. 

Notes:

  1. If a customer has implemented the JMSAppender class for plugins they have written they should check to make sure they don’t expose this vulnerability. For more details see: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301

 

TIBCO Products with Hotfixes or Services Packs available:

 

TIBCO products that have remediation documentation available: