Security Advisory Regarding TIBCO Spotfire

Products	Versions
Spotfire Server	10.3.12 and below, 10.4.0, 10.5.0, 10.6.0, 10.6.1, 10.7.0, 10.8.0, 10.8.1, 10.9.0, 10.10.0, 10.10.1, 10.10.2, 10.10.3, and 10.10.4,11.0.0, 11.1.0, 11.2.0, and 11.3.0
Spotfire Enterprise Runtime for R - Server Edition	1.2.4 and below, 1.3.0 and 1.3.1, 1.4.0, 1.5.0, and 1.6.0

Description

TIBCO Spotfire Windows Platform Artifact Search vulnerability

Original release date: June 29, 2021
Last revised: ---
Source: TIBCO Software Inc.

Description

The components listed above contain a vulnerability that theoretically allows
a low privileged attacker with local access on the Windows operating system to
insert malicious software. The affected component can be abused to execute the
malicious software inserted by the attacker with the elevated privileges of
the component. This vulnerability results from the affected component
searching for run-time artifacts outside of the installation hierarchy.

Impact

The impact of this vulnerability includes the possibility of an attacker
gaining full access to the Windows operating system at the privilege level of
the affected component.

CVSS v3 Base Score: 8.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Environment

Products Affected TIBCO Enterprise Runtime for R - Server Edition versions 1.2.4 and below TIBCO Enterprise Runtime for R - Server Edition versions 1.3.0 and 1.3.1 TIBCO Enterprise Runtime for R - Server Edition versions 1.4.0, 1.5.0, and 1.6.0 TIBCO Spotfire Analytics Platform for AWS Marketplace versions 11.3.0 and below TIBCO Spotfire Server versions 10.3.12 and below TIBCO Spotfire Server versions 10.4.0, 10.5.0, 10.6.0, 10.6.1, 10.7.0, 10.8.0, 10.8.1, 10.9.0, 10.10.0, 10.10.1, 10.10.2, 10.10.3, and 10.10.4 TIBCO Spotfire Server versions 11.0.0, 11.1.0, 11.2.0, and 11.3.0 TIBCO Spotfire Statistics Services versions 10.3.0 and below TIBCO Spotfire Statistics Services versions 10.10.0, 10.10.1, and 10.10.2 TIBCO Spotfire Statistics Services versions 11.1.0, 11.2.0, and 11.3.0 The following components are affected: * TIBCO Spotfire Server * TIBCO Enterprise Runtime for R

Resolution

TIBCO has released updated versions of the affected systems which address this
issue:

TIBCO Enterprise Runtime for R - Server Edition versions 1.2.4 and below
update to version 1.2.5 or later

TIBCO Enterprise Runtime for R - Server Edition versions 1.3.0 and 1.3.1
update to version 1.3.2 or later

TIBCO Enterprise Runtime for R - Server Edition versions 1.4.0, 1.5.0, and
1.6.0 update to version 1.7.0 or later

TIBCO Spotfire Analytics Platform for AWS Marketplace versions 11.3.0 and
below update to version 11.4.0 or later

TIBCO Spotfire Server versions 10.3.12 and below update to version 10.3.13
or later

TIBCO Spotfire Server versions 10.4.0, 10.5.0, 10.6.0, 10.6.1, 10.7.0,
10.8.0, 10.8.1, 10.9.0, 10.10.0, 10.10.1, 10.10.2, 10.10.3, and 10.10.4
update to version 10.10.5 or later

TIBCO Spotfire Server versions 11.0.0, 11.1.0, 11.2.0, and 11.3.0 update to
version 11.4.0 or later

TIBCO Spotfire Statistics Services versions 10.3.0 and below update to
version 10.3.1 or later

TIBCO Spotfire Statistics Services versions 10.10.0, 10.10.1, and 10.10.2
update to version 10.10.3 or later

TIBCO Spotfire Statistics Services versions 11.1.0, 11.2.0, and 11.3.0
update to version 11.4.0 or later

Issue/Introduction

Security Advisory regarding TIBCO Spotfire Windows Platform Artifact Search vulnerability

Additional Information

Acknowledgments

TIBCO would like to extend its appreciation to Will Dormann of CERT/CC for
discovery of this vulnerability.

References

http://www.tibco.com/services/support/advisories
CVE-2021-28830

Welcome to "KB Articles"