Security Advisory regarding TIBCO Managed File Transfer

Security Advisory regarding TIBCO Managed File Transfer

book

Article ID: KB0108037

calendar_today

Updated On:

Products Versions
TIBCO Managed File Transfer Internet Server 8.2.1 and below

Description

Description

The components listed above contain a vulnerability that allows an authenticated user to obtain the session identifier of another user. The session identifier when replayed could provide administrative  or file transfer rights to the affected system. This occurs on Command Center and Internet Server when the admin service is installed.

To determine whether the admin service is installed for MFT Internet Server, check the web.xml:
<MFT Install>/server/webapps/cfcc/WEB-INF/web.xml

The web.xml InstallAdminService parameter defines whether the admin service is installed:
YES indicates that the admin service is installed.
NO indicates that the admin service is NOT installed.

<context-param>
<param-name>InstallAdminService</param-name>
<param-value>YES</param-value>
</context-param>

Impact

The impact of this vulnerability includes the possibility that an attacker could gain administrative control of the affected system.

Environment

Systems Affected TIBCO Managed File Transfer Command Center versions 8.2.1 and below TIBCO Managed File Transfer Internet Server versions 8.2.1 and below The following components are affected: * Admin Service

Resolution

The workaround has two steps:

Step 1: Comment out lines in the admin deploy wsdd

: cd <MFT Install>/distribution/setup
: copy file sift-deploy-admin.wsdd to sift-deploy-admin.wsdd.backup
: edit file sift-deploy-admin.wsdd
: Comment out these two lines at around line 43

<!--
<beanMapping qname="asNS:Session" xmlns:asNS="urn:AdministratorService" languageSpecificType="java:com.proginet.sift.dbaccess.Session"/> 
  <typeMapping qname="asNS:ArrayOfSession" xmlns:asNS="urn:AdministratorService" type="java:com.proginet.sift.dbaccess.Session[]" serializer="org.apache.axis.encoding.ser.ArraySerializerFactory" deserializer="org.apache.axis.encoding.ser.ArrayDeserializerFactory" encodingStyle="http://schemas.xmlsoap.org/soap/encoding"/> 
-->

Step 2: Execute the deploy command:

On Windows execute:
deploy.bat 127.0.0.1 7080 admin pppppppp cfcc
On Unix execute:
./deploy.sh 127.0.0.1 7080 admin pppppppp cfcc
Where:
: 7080 is the port (8080 is the default for Command Center)
: pppppppp is the password for the admin user
: cfcc is the context

The change is immediate; there is no need to recycle the MFT Server

Look for the following messages to confirm the deploy was successful:
Processing file sift-deploy-admin.wsdd
<Admin>Done processing</Admin>

Issue/Introduction

Security Advisory regarding TIBCO Managed File Transfer Session Disclosure
Powered by Wolken Software