Security Advisory Regarding TIBCO FTL

Security Advisory Regarding TIBCO FTL

book

Article ID: KB0108007

calendar_today

Updated On:

Products Versions
TIBCO FTL 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0
TIBCO ActiveSpaces 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.6.1, and 4.6.2

Description

TIBCO FTL unvalidated SAN in client certificates

  Original release date: October 5, 2021
  Last revised: ---
  Source: TIBCO Software Inc.

Description

  The components listed above contain a vulnerability that theoretically allows
  a non-administrative, authenticated FTL user to trick the affected components
  into creating illegitimate certificates. These maliciously generated
  certificates can be used to enable man-in-the-middle attacks or to escalate
  privileges so that the malicious user has administrative privileges.


Impact

  The impact of this vulnerability includes the theoretical possibility that a
  malicious non-administrative user can gain full administrative access to the
  affected system.

  CVSS v3 Base Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)

Environment

Products Affected TIBCO ActiveSpaces - Community Edition versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.6.1, and 4.6.2 TIBCO ActiveSpaces - Developer Edition versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.6.1, and 4.6.2 TIBCO ActiveSpaces - Enterprise Edition versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.6.1, and 4.6.2 TIBCO FTL - Community Edition versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0 TIBCO FTL - Developer Edition versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0 TIBCO FTL - Enterprise Edition versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0 TIBCO eFTL - Community Edition versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0 TIBCO eFTL - Developer Edition versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0 TIBCO eFTL - Enterprise Edition versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0 The following components are affected: * FTL Server (tibftlserver) * Docker images containing tibftlserver

Resolution

  TIBCO has released updated versions of the affected systems which address this
  issue:

  TIBCO ActiveSpaces - Community Edition versions 4.3.0, 4.4.0, 4.5.0, 4.6.0,
    4.6.1, and 4.6.2 update to version 4.7.0 or later

  TIBCO ActiveSpaces - Developer Edition versions 4.3.0, 4.4.0, 4.5.0, 4.6.0,
    4.6.1, and 4.6.2 update to version 4.7.0 or later

  TIBCO ActiveSpaces - Enterprise Edition versions 4.3.0, 4.4.0, 4.5.0, 4.6.0,
    4.6.1, and 4.6.2 update to version 4.7.0 or later

  TIBCO FTL - Community Edition versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0,
    6.6.0, 6.6.1, and 6.7.0 update to version 6.7.1 or later

  TIBCO FTL - Developer Edition versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0,
    6.6.0, 6.6.1, and 6.7.0 update to version 6.7.1 or later

  TIBCO FTL - Enterprise Edition versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0,
    6.6.0, 6.6.1, and 6.7.0 update to version 6.7.1 or later

  TIBCO eFTL - Community Edition versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0,
    6.6.0, 6.6.1, and 6.7.0 update to version 6.7.1 or later

  TIBCO eFTL - Developer Edition versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0,
    6.6.0, 6.6.1, and 6.7.0 update to version 6.7.1 or later

  TIBCO eFTL - Enterprise Edition versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0,
    6.6.0, 6.6.1, and 6.7.0 update to version 6.7.1 or later
 

Issue/Introduction

Security Advisory Regarding TIBCO FTL unvalidated SAN in client certificates

Additional Information

  https://www.tibco.com/services/support/advisories
  CVE-2021-35497
 
Powered by Wolken Software