Apache Log4J Vulnerability Daily Update

TIBCO continues to work on investigating and identifying mitigations for the Apache Log4J vulnerability (CVE-2021-44228), referred to as the “Log4Shell” vulnerability. The sections below contain the current status of these efforts. TIBCO continues to make the investigation and remediation of this vulnerability its top priority.

TIBCO is aware of CVE-2021-4104 and this issue was investigated as part of our response to CVE-2021-44228. It is addressed by Note 1 below.

TIBCO is aware of the latest Apache Log4J CVE (CVE-2021-45046) and is tracking and actively evaluating it.

TIBCO products and versions not listed in the sections below are still under active investigation and information about them will be posted in upcoming updates.

TIBCO will publish short-term remediation guidance as it becomes available. TIBCO will follow up this guidance with, if appropriate, a hotfix and ultimately an official release to address this vulnerability.

Here is the current status as of the publication time of this update.

TIBCO products whose current standard support versions either do not use Apache Log4J or are not on an affected version of Log4J:

(new information from previous updates is in bold)

• TIBCO ActiveMatrix® Service Grid Platform
  • See Note 1 below
• TIBCO ActiveSpaces® version 2.x
  • See Note 1 below
• TIBCO ActiveSpaces® version 4.x
• TIBCO Apache Kafka® Distribution
• TIBCO® API Exchange Gateway
• TIBCO® API Exchange Manager
• TIBCO® BPM Enterprise 4.3.x product line (formerly known as TIBCO® ActiveMatrix BPM)
  • See Note 1 below
• TIBCO BusinessConnect™
• TIBCO BusinessConnect™ Trading Community Management
• TIBCO BusinessEvents® versions 5.x and below
• TIBCO BusinessEvents® Extreme
• TIBCO BusinessWorks™ 5.14 (TRA 5.11.x and TIBCO Administrator™ 5.11.x) and prior versions
  • This includes the TIBCO BusinessWorks™ 5 adapters and  plugins ecosystem 
  • TIBCO BusinessWorks™ 5 version 5.15 (TRA 5.12 and TIBCO Administrator™ 5.12), TIBCO ActiveMatrix® Adapter for Database 7.3, TIBCO ActiveMatrix® Adapter for Files for Unix/Win 7.1, and TIBCO ActiveMatrix® Adapter for SAP 7.3 are still under investigation.
  • See Notes 1 and 2 below
• TIBCO BusinessWorks™ 6
  • This includes the TIBCO BusinessWorks™ 6 plugins ecosystem
  • See Notes 1 and 2 below
• TIBCO BusinessWorks™ Container Edition
  • This includes the TIBCO BusinessWorks™ Container Edition plugins ecosystem
  • See Notes 1 and 2 below
• TIBCO® Clarity – Cloud Edition 
• TIBCO Cloud™
  • TIBCO Cloud™ API Management
  • TIBCO Cloud™ AuditSafe
  • TIBCO Cloud™ Data Streams
  • TIBCO Cloud™ Events
  • TIBCO Cloud™ Integration
  • TIBCO Cloud™ Live Apps
  • TIBCO Cloud™ Messaging
  • TIBCO Cloud™ Metadata
  • TIBCO Cloud™ Nimbus®
  • TIBCO Cloud™ Spotfire® 
• TIBCO Cloud™ MDM
• TIBCO Cloud™ API Management - Local Edition
• TIBCO® Data Migrator versions 8204 and below
• TIBCO® Data Science for TIBCO Spotfire® Analyst Version
• TIBCO® Data Science Team Studio
• TIBCO DataSynapse™ High-Performance Computing Cloud Adapter
• TIBCO® Data Virtualization version 8.4.0 and below
• TIBCO EBX® versions 5.8.x thru 6.x
  • See Note 1 below
• TIBCO® Enterprise Administrator (TEA)
• TIBCO Enterprise Message Service™
• TIBCO Enterprise Message Service™ Appliance (EMSA)
• TIBCO FOCUS® 
• TIBCO Flogo® Enterprise and all connectors
• TIBCO Foresight® Archive and Retrieval System Standard and Healthcare Editions versions 5.0.0 thru 5.3.0
• TIBCO Foresight® BI Bridge® - BAM Extract
• TIBCO Foresight® Operation Monitor Standard and Healthcare Editions versions 5.0.0 thru 5.3.0
• TIBCO Foresight® Transaction Insight Standard and Healthcare Editions versions 5.0.0 thru 5.3.0
• TIBCO FTL® and eFTL
• TIBCO® Fulfillment Catalog Software versions 3.0.0 thru 4.1.0
• TIBCO® Fulfillment Provisioning
  • See Note 1 below
• TIBCO® Fulfillment Subscriber Inventory
• TIBCO® GeoAnalytics
• TIBCO® Graph Database
• TIBCO GridServer®
• TIBCO Hawk® version 6 and below
• TIBCO iProcess® version 11.7.0 and below
• TIBCO iWay® Service Manager
• TIBCO JasperReports® Library
• TIBCO LABS™ Project Discover
• TIBCO Loglogic® Log Management Intelligence and Enterprise Virtual Appliance versions 6.3.0 and below
• TIBCO LogLogic® Universal Collector
• TIBCO® Operational Intelligence Agent
• TIBCO® Messaging - Eclipse Mosquito Distribution
• TIBCO® MDM
• TIBCO® MDM Studio
• TIBCO® ModelOps
• TIBCO Nimbus®
• TIBCO Nimbus® Service
• TIBCO® OpenSpirit
• TIBCO PartnerExpress™
• TIBCO® Product and Service Catalog
• TIBCO Rendezvous® version 8.5.1 and above
• TIBCO Scribe® Insight
• TIBCO Scribe® Online
• TIBCO Spotfire® Data Streams
• TIBCO Spotfire® Cloud Enterprise
• TIBCO Statistica®
• TIBCO® Streaming
• TIBCO WebFOCUS® versions 8204 and below
• TIBCO WebFOCUS® App Studio
• tibbr® 

Notes:

1. If a customer has implemented the JMSAppender class for plugins they have written they should check to make sure they don’t expose this vulnerability. For more details see: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301
2. If a customer has developed their own java code or installed 3rd party libraries they should check to make sure they don't expose this vulnerability. This applies to BW5, BW6, BWCE, and the plugin ecosystems.

TIBCO is monitoring and working with OEM third-party vendors on this issue and we will provide additional information as it becomes available on the effect of those vendor’s offerings on TIBCO products.

TIBCO Products with Hotfixes or Services Packs available:

• TIBCO® Enterprise Runtime for R - Server Edition (1.3.4, 1.7.2, and 1.9.1)
• TIBCO Omni-Gen®, TIBCO Omni-Gen® MDM, TIBCO Omni-HealthData®, TIBCO Omni-Insurance™ versions 3.16 and higher
• TIBCO JasperReports® Server 7.5.1, 7.8.0, 7.9.0, and  8.0.0
• TIBCO Spotfire® Server (10.10.8, 11.4.3, and 11.6.2)
• TIBCO Spotfire® Service for Python (1.0.4, 1.3.2, and 1.5.1)
• TIBCO Spotfire® Statistics Services (10.10.6, 11.4.3, and 11.6.1)
• TIBCO WebFOCUS® 8207.28.0
• TIBCO WebFOCUS® 8207.28.01
• TIBCO WebFOCUS® 8207.28.05

TIBCO products that have remediation documentation available:

• TIBCO® Data Virtualization version 8.5.0
• TIBCO distribution of Apache Pulsar
• TIBCO BusinessEvents® Enterprise Edition versions 6.0.0 thru 6.2.0
• TIBCO Foresight® Instream (Healthcare and Standard Editions) versions 8.8.0 thru 9.1.0
• TIBCO Foresight® Translator (Healthcare and Standard Editions) versions 3.8.0 thru 4.1.0
• TIBCO iProcess® Engine (Oracle, SQL, DB2) 11.8.x, TIBCO iProcess® Workspace (Windows, Browser, Plug-ins ) 11.8.x, TIBCO iProcess® Technology Plug-ins 11.8.x , TIBCO iProcess® Web Services (Server Plug-in, Client Plug-in) 11.8.x
• TIBCO Jaspersoft® ETL 7.3.1
• TIBCO Jaspersoft® ETL Administration Center 7.3.1
• TIBCO Loglogic® Log Management Intelligence and Enterprise Virtual Appliance version 6.3.1
• TIBCO® Managed File Transfer Command Center and TIBCO® Managed File Transfer Internet Server
  • No TIBCO® Managed File Transfer Platform Server utilizes Apache Log4J, and none are vulnerable to this issue. Specifically the following Platform Servers:
    • TIBCO® Managed File Transfer Platform Server for Windows
    • TIBCO® Managed File Transfer Platform Server for Unix
    • TIBCO® Managed File Transfer Platform Server for z/Linux
    • TIBCO® Managed File Transfer Platform Server for z/OS
    • TIBCO® Managed File Transfer Platform Server for IBMi
• TIBCO Spotfire® Server 10.3 and higher, TIBCO Spotfire® Statistics Services 10.3 and higher, TIBCO Spotfire® Service for Python All versions, TIBCO® Enterprise Runtime for R - Server Edition All versions
• TIBCO Statistica® Service for Spotfire® Server versions 13.6, 14.0, and V140HFS02-Spotfire