TIBCO Security Advisory: September 13, 2011 - TIBCO® Managed File Transfer
The TIBCO Managed File Transfer and Slingshot servers contain critical defects in the processing of inbound HTTP requests:
CVE-2011-3423 - A cross-site scripting vulnerability exists which may allow an attacker to view or modify information.
CVE-2011-3424 - A session fixation vulnerability exists which may allow an attacker to hijack a web session from another user.
TIBCO has released updated versions of the affected software products which address these issues. TIBCO strongly recommends sites running the affected components install the applicable update or take corrective action as described below.
- TIBCO Managed File Transfer Internet Server 7.1.0 and earlier
- TIBCO Managed File Transfer Command Center 7.1.0 and earlier
- TIBCO Slingshot 1.8.0 and earlier
The following components are affected:
- TIBCO Managed File Transfer server
- TIBCO Slingshot server
The impact of these vulnerabilities may include information modification, information disclosure, and denial of service.
For each affected system, update to the corresponding software versions:
- TIBCO Managed File Transfer Internet Server 7.1.1 or later
- TIBCO Managed File Transfer Command Center 7.1.1 or later
- TIBCO Slingshot 1.8.1 or later
This is strongly recommended.
If an upgrade is not possible, the following actions can mitigate the vulnerability:
- Utilize a firewall to restrict access to the TIBCO Managed File Transfer and Slingshot servers.