TIBCO Web Messaging for TIBCO Enterprise Message Service™ vulnerabilities

   Original release date: April 4, 2017
   Source:  Kaazing Corporation

Systems Affected

   TIBCO Web Messaging for TIBCO Enterprise Message Service, version 4.5.3 and earlier

   The following components are affected:

     * TIBCO Web Messaging for TIBCO Enterprise Message Service server (Kaazing Gateway server, HTTP and WebSocket engine)


Description

   The components listed above contain a potential vulnerability 
   in the handling of HTTP requests which may result in unauthorized access.

   TIBCO has released updated versions of the affected software products
   which addresses this issue.  TIBCO strongly recommends sites running the
   affected components install the applicable update as described below.


Impact

   The impact of this vulnerability is information disclosure.

   CVSS V3 base score: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
   
Solution

   If you have configured authentication and authorization according to the
   "Checklist: Configure Authentication and Authorization”:
   https://kaazing.com/doc/jms/4.0/security/o_aaa_config_authentication.html or
   implemented your custom login modules conforming to the guidelines in the
   "Java Authentication and Authorization Service (JAAS): LoginModule Developer’s Guide”:
   http://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/JAASLMDevGuide.html,
   then you are not affected by this vulnerability.

   Alternatively, for each affected system, update to the corresponding software versions:
   TIBCO Web Messaging for TIBCO Enterprise Message Service, version 4.0.9 Hotfix 19
   TIBCO Web Messaging for TIBCO Enterprise Message Service, version 4.5.3 Hotfix 1
  
References
   https://support.kaazing.com/hc/en-us/articles/115004752368