Original release date: January 15, 2008
Last revised: --
Source: TIBCO Software Inc.
TIBCO would like to extend its appreciation to McSlibin and Sean Larsson (iDefense Labs) for discovery of these vulnerabilities, which have been addressed in the 4.4.2 release.
The TIBCO EMS server contains a buffer overflow vulnerability in processing of inbound data via SmartSockets. The impact of this vulnerability may include remote execution of arbitrary code, information disclosure, and denial of service.
TIBCO has released an update which addresses a critical vulnerability in the server component of TIBCO EMS when used in conjunction with TIBCO SmartSockets. This vulnerability affects the EMS server if an attacker controls the SmartSockets Server, or is able to inject data into the TCP stream between the SmartSockets and EMS servers. TIBCO strongly recommends sites running the affected component to install the update or take mitigating action as appropriate.
The following components are affected:
The impact of this vulnerability varies depending on the operating system, configuration options of the server, and the privilege levels of the user that invokes the server.
On Unix based systems, the successful exploit will allow arbitrary code execution with the privileges of the user that invoked the server.
On Windows based systems, the successful exploit will allow arbitrary code execution with the privileges of the user that invoked the server. If the server component is installed as a system service, this will result in access to system privileges.
If an upgrade is not possible, the following actions can mitigate the vulnerability: