CVE-2023-48795 and BusinessConnect

CVE-2023-48795 and BusinessConnect

book

Article ID: KB0107932

calendar_today

Updated On:

Products Versions
TIBCO BusinessConnect 7.4.0

Description

CVE-2023-48795 was published on December 18, 2023 regarding an SSH vulnerability when certain hash algorithms and ciphers are used with the SSH protocol with a variety of SSH clients and servers.

TIBCO Engineering has evaluated this CVE, and has determined that this vulnerability can be mitigated with the BusinessConnect 7.4.0 SSH client with the resolution shown below.  Note that only BusinessConnect 7.4 is impacted; the SSH client in versions of BusinessConnect prior to 7.4 do not support the ciphers and hash algorithms mentioned.  

The mitigation for the BusinessConnect SSH Server plugin 1.1.0 is shown below, and will only work with this version.  Previous versions of this plugin are retired.

Environment

all platforms

Resolution

For BusinessConnect 7.4, add this property to the deployed BC engine TRA files:

java.property.disable.chacha20-poly1305@openssh.com
java.property.maverick.enableETM=false

For the BusinessConnect SFTP Server Plugin 1.1.0:

Under admin System Setting -> Activated Protocol Plug-ins and Properties, for the SFTP plugin, add the following properties of type String with the values shown underneath them.

Property:  disable.hashalgorithm 

String value:  hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-md5-etm@openssh.com

Property:  disable.cipher 

String value:  chacha20-poly1305@openssh.com

This will disable the vulnerable cipher and hash algorithm from being used.

Issue/Introduction

BusinessConnect 7.4.0 and BusinessConnect SFTP Server Plugin 1.1.0 are affected by this CVE

Additional Information

https://www.cve.org/CVERecord?id=CVE-2023-48795
Powered by Wolken Software