Public Notice

Spring Framework Vulnerability Update

21 April 2022

TIBCO is aware of the recently announced Java Spring Framework vulnerabilities (CVE-2022-22963, CVE-2022-22965), with one of them being referred to as “Spring4Shell”. These vulnerabilities potentially enable an attacker to execute arbitrary code by taking advantage of poor data bindings and/or malicious expression language statements. 

TIBCO is also aware of CVE-2022-22950, and this issue is under investigation as part of our response to CVE-2022-22963 and CVE-2022-22965. 

TIBCO is assessing the risk of CVE-2022-22968 and will respond as appropriate. At this time, we believe this is a low risk. 

TIBCO is actively monitoring the still evolving situation and updates with regards to the Java Spring Framework and our Product Security Incident Response Team (PSIRT) is actively evaluating how this vulnerability may affect TIBCO products and cloud services.

We will provide updates as more information becomes available and we complete our investigation. This information will include which TIBCO products and services are affected and how customers and users of those products and services can best mitigate or protect themselves from being exploited by this vulnerability.

For more information on the vulnerability, please see the following references:

 

For Active Security Vulnerabilities we will post daily updates by 5:00 PM PT

 

Spring Framework Status for TIBCO Products

(applies to versions that are currently in Standard Support)

New Products or status change not in previous updates are indicated by the product name in BOLD

Short Term Mitigations and Service Packs are hotlinked in the product name.

Legend

✅ - Unaffected

🛠️ - Remediated through Service Pack or Short Term Mitigation

🔍 - Under Investigation

 

TIBCO Product

CVE-2022-22950

CVE-2022-22963

CVE-2022-22965

TIBCO® distribution of Apache Kafka - All Versions

TIBCO® distribution of Apache Pulsar - All Versions

TIBCO ActiveMatrix® Adapter Framework - All Versions

TIBCO ActiveMatrix® Service Grid Platform version 3.4.0 and below

TIBCO ActiveMatrix BusinessWorks™ version 6.8.0 and below

🔍

🔍 

TIBCO ActiveSpaces® - All Versions

TIBCO® Adapter Migration - All Versions

TIBCO® Adapter SDK - All Versions

TIBCO Administrator version 5.11.x and below

TIBCO Administrator version 5.12.0 and above

🔍

🔍 

TIBCO® API Exchange Gateway - All Versions

TIBCO® AuditSafe version 1.1.1 and below

TIBCO® BPM Enterprise version 5.2.2 and below

TIBCO BusinessConnect™ and its plugins version 7.3 and below

TIBCO BusinessConnect™ Container Edition version 1.2 and below

TIBCO BusinessEvents® version 6.2.1 and below

🔍

🔍 

TIBCO BusinessWorks™ Container Edition version 2.7.1 and below

🔍

🔍 

TIBCO BusinessWorks™ version 5.15.0 and above

🔍

🔍 

TIBCO BusinessWorks™ version 5.14.0 and below

TIBCO BusinessWorks™ 5 adapters and plugins ecosystem

TIBCO BusinessWorks™ 6 adapters and plugins ecosystem

TIBCO BusinessWorks™ Container Edition plugins ecosystem

TIBCO® Clarity version 3.2.1 and below

TIBCO® Clarity – Cloud Edition version 3.1.0 and below

TIBCO Cloud 

    TIBCO Cloud™ Compute

    TIBCO Cloud™ Data Streams

    TIBCO Cloud™ Events

    TIBCO Cloud™ Integration - Connect (Scribe)

    TIBCO Cloud™ Integration - Develop (Flogo) 

    TIBCO Cloud™ Messaging

    TIBCO Cloud™ Spotfire

    TIBCO Cloud™ Live Apps

🔍

🔍 

    TIBCO Cloud™ Nimbus®

TIBCO Cloud™ API Management - Local Edition version 5.5.1 and below

TIBCO Cloud™ API Management - SaaS Edition - All Versions

TIBCO DataSynapse GridServer® - All Versions

TIBCO DataSynapse™ High-Performance Computing Cloud Adapter - All Versions

TIBCO® Data Migrator - All Versions

TIBCO® Data Science version 1.2.1 and below

TIBCO® Data Science for TIBCO Spotfire® Analyst 14.0.0 and below

TIBCO® Data Science Service for TIBCO Spotfire® 14.0.1 and below

🔍

🔍 

TIBCO® Data Science Team Studio version 6.6 and below

TIBCO® Data Virtualization version 8.5.2 and below

TIBCO EBX® version 6.0.5 and below

TIBCO EBX® Addons version 4.5.10 and above

TIBCO EBX® Addons version 5.3.2 and above

TIBCO® Enterprise Administrator version 2.4.1 and below

🔍

🔍 

TIBCO Enterprise Message Service™ - All Versions

TIBCO® Enterprise Runtime for R - Server Edition versions 1.3.7, 1.7.5, 1.11.1

🛠️

🛠️ 

TIBCO Flogo® Connectors - All Versions

TIBCO FOCUS® - All Versions

TIBCO Foresight® Archive and Retrieval System - All Versions

TIBCO Foresight® Connect with FHIR - All Versions

TIBCO Foresight® EDISIM - All Versions

TIBCO Foresight® EDISIM HIPAA Validator Desktop - All Versions

TIBCO Foresight® Operational Monitor - All Versions

TIBCO Foresight® Transaction Insight® - All Versions

TIBCO Foresight® Translator Attachment Adapter - All Versions

TIBCO Foresight® Translator - Healthcare and Standard Editions - All Versions

TIBCO eFTL™ - All Versions

TIBCO FTL® - All Versions

TIBCO Fulfillment® Order Management version 4.0.2 and below

TIBCO® Fulfillment Subscriber Inventory version 2.0 and below

TIBCO® Graph Database version 3.1.0 and below

TIBCO Hawk® version 5.2.0 and below

TIBCO Hawk® version 6.2.0 and above

🔍

🔍 

TIBCO iProcess® Engine (Oracle, SQL, and DB2) - All Versions

TIBCO iProcess® Technology plug-ins - All Versions

TIBCO iProcess® Workspace (Windows, Browser, and plug-ins)  - All Versions 

TIBCO iWay® Service Manager version 8.0.5 and above

TIBCO® Inform Cloud version 8.5.0 and below

TIBCO JasperReports® IO (Professional and At-Scale offerings) version 3.0.x and below

🛠️

🛠️ 

TIBCO JasperReports® Library (Professional and Community offerings)

 version 8.0.x and below

TIBCO JasperReports® Server (Professional and Community offerings) version 8.0.x and below

TIBCO JasperReports® Server for AWS version 8.0.x and below

🛠️

🛠️ 

TIBCO JasperReports® Server for Azure version 8.0.x and below

🛠️

🛠️ 

TIBCO Jaspersoft® Studio (Professional and Community offerings) version 8.0.x and below

🛠️

🛠️ 

TIBCO LogLogic® Enterprise Virtual Appliance version 6.3.0 and below

TIBCO LogLogic® Enterprise Virtual Appliance version 6.3.1 and above

🔍

🔍 

TIBCO LogLogic® Log Management Intelligence version 6.3.0 and below

TIBCO LogLogic® Log Management Intelligence version 6.3.1 and above

🔍

🔍 

TIBCO LogLogic® Log Source Packages - All Versions

TIBCO® Managed File Transfer Command Center version 8.4 and below

🛠️

🛠️ 

TIBCO® Managed File Transfer Internet Server version 8.4 and below

🛠️

🛠️ 

TIBCO® Managed File Transfer Platform Server for UNIX/zLinux - All Versions

TIBCO® Managed File Transfer Platform Server for Windows - All Versions

TIBCO® Managed File Transfer Platform Server for z/OS - All Versions

TIBCO® MDM version 9.3.0 and below

TIBCO® Messaging - Eclipse Mosquitto Distribution - All Versions

TIBCO® Messaging Manager - All Versions

TIBCO® Messaging Monitor - All Versions

TIBCO® Metadata Agent version 3.0.3 and below

🔍

🔍 

TIBCO® ModelOps version 1.1 and below

TIBCO Nimbus® version 10.5.0 and below

TIBCO Nimbus® Service version 10.5.0 and below

TIBCO® Offer and Price Engine version 5.1.0 and below

🔍

🔍 

🔍 

TIBCO Omni-Gen® version 3.1.6 through 4.1.1

TIBCO® OpenSpirit versions 4.3 and below

TIBCO® Operational Intelligence Agent version 3.0.0 and above

🔍

🔍 

TIBCO® Operational Intelligence Hawk® RedTail version 7.0.0 and above

🔍

🔍 

TIBCO® Order Management version 5.1.0 and below

🔍

🔍 

🔍 

TIBCO® Order Management - LR version 5.0.1 and below

🔍

🔍 

TIBCO® Patterns version 5.6 and below

🔍

🔍 

TIBCO® Product & Catalog version 4.1.0 and below

TIBCO Rendezvous® - All Versions

TIBCO® Reward version 22.2 and below

TIBCO Runtime Agent™ version 5.11.2 and below

TIBCO Runtime Agent™ version 5.12.1 and above

🔍

🔍 

TIBCO Silver® Fabric - All Versions

TIBCO Spotfire® for Amazon Web Services version 11.8.1

TIBCO Spotfire® Analyst - All Versions

TIBCO Spotfire® Automation Services - All Versions

TIBCO Spotfire® Business Author - All Versions

TIBCO Spotfire® Cloud Enterprise - All Versions

🛠️

🛠️ 

TIBCO Spotfire® Consumer - All Versions

TIBCO Spotfire® Desktop - All Versions

TIBCO Spotfire® Qualification - All Versions

TIBCO Spotfire® Server version 11.8.0 and below

🛠️

🛠️ 

TIBCO Spotfire® Service for Python versions 1.0.7, 1.3.5, and 1.11.1

🛠️

🛠️ 

TIBCO Spotfire® Statistics Services version 10.10.9, 11.4.6, and 11.8.1 

🛠️

🛠️ 

TIBCO Statistica® version 14.0 and below

TIBCO® Streaming version 10.6.2 and below

TIBCO WebFOCUS® Client version 8207.28.0 - 2807.28.09

🛠️

🛠️ 

TIBCO WebFOCUS® Client version 8207.28.10

TIBCO WebFOCUS® Client version 9.0.0

🛠️

🛠️ 

TIBCO WebFOCUS® Client version 9.0.1

TIBCO WebFOCUS® Reporting Server - All Versions

WebFOCUS®, iWay® Service Manager, and Omni-Gen® -  Legacy Versions