TIBCO ActiveSpaces Administrative Daemon Vulnerable to CSRF Attacks

  Original release date: November 6, 2018
  Last revised:
  Source: TIBCO Software Inc.

Description

  The component listed above contains a vulnerability which may allow an
  attacker to perform cross-site request forgery (CSRF) attacks.


Impact

  In deployments that use the administrative daemon, there is a theoretical
  possibility that an attacker could gain full administrative access to the
  data grid, including the possibility of deleting data tables, and removing
  nodes from operation.

  CVSS v3 Base Score: 7.5 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
 

Systems Affected TIBCO ActiveSpaces - Community Edition versions 3.3.0, 3.4.0, and 3.5.0 TIBCO ActiveSpaces - Developer Edition versions 3.0.0, 3.1.0, 3.3.0, 3.4.0, and 3.5.0 TIBCO ActiveSpaces - Enterprise Edition versions 3.0.0, 3.1.0, 3.2.0, 3.3.0, 3.4.0, and 3.5.0 The following components are affected: * administrative daemon (tibdgadmind)

Solution

  TIBCO has released updated versions of the affected components which address
  these issues.

  For each affected system, update to the corresponding software versions:

  TIBCO ActiveSpaces - Community Edition versions 3.3.0, 3.4.0, and 3.5.0
    update to version 3.5.1 or higher

  TIBCO ActiveSpaces - Developer Edition versions 3.0.0, 3.1.0, 3.3.0, 3.4.0,
    and 3.5.0 update to version 3.5.1 or higher

  TIBCO ActiveSpaces - Enterprise Edition versions 3.0.0, 3.1.0, 3.2.0, 3.3.0,
    3.4.0, and 3.5.0 update to version 3.5.1 or higher

 

Security Advisory regarding TIBCO ActiveSpaces

References

  http://www.tibco.com/services/support/advisories
  CVE-2018-12411