TIBCO Managed File Transfer Command Center and Internet Server - Mitigation for Spring Framework Vulnerabilities

TIBCO Managed File Transfer Command Center and Internet Server - Mitigation for Spring Framework Vulnerabilities

book

Article ID: KB0072430

calendar_today

Updated On:

Products Versions
TIBCO Managed File Transfer Command Center 8.2.x, 8.3.x, 8.4.x

Description

TIBCO is aware of the recently announced Java Spring Framework vulnerabilities (CVE-2022-22963, CVE-2022-22965), with one of them being referred to as “Spring4Shell”.

TIBCO continues to make the investigation and remediation of this vulnerability its top priority. We will provide updates for the TIBCO MFT product suite via this article if more information becomes available. Please contact TIBCO Support with any questions. 

 

TIBCO Managed File Transfer products that may be affected by CVE-2022-22963 and CVE-2022-22965

  • MFT Internet Server and Command Center v8.2.x, mitigation available
  • MFT Internet Server and Command Center v8.3.x, mitigation available
  • MFT Internet Server and Command Center v8.4.x, mitigation available
TIBCO Managed File Transfer products that are not affected
  • TIBCO® Managed File Transfer Platform Server for Windows
  • TIBCO® Managed File Transfer Platform Server for Unix
  • TIBCO® Managed File Transfer Platform Server for z/Linux
  • TIBCO® Managed File Transfer Platform Server for z/OS
  • TIBCO® Managed File Transfer Platform Server for IBMi

Issue/Introduction

TIBCO Managed File Transfer Command Center and Internet Server - Mitigation for Spring Framework Vulnerabilities

Environment

All supported environments

Resolution

Mitigation

These instructions are based on the mitigation documented by Spring Framework vulnerable versions of spring jar files.

TIBCO recommends replacing the spring jar files manually as follows:

- Download spring-5.3.18-dist.zip file from this URL:
https://repo.spring.io/ui/native/release/org/springframework/spring/5.3.18/
- Select the zip file:  spring-5.3.18-dist.zip
- After downloading the zip file, unzip the file and save in a temporary directory.
- After unzipping spring-5.3.18-dist.zip, navigate to:
spring-framework-5.3.18\libs
Copy the spring-beans-5.3.18.jar and spring-core-5.3.18.jar files from this directory
 
This change should be made to all Command Center and Internet Server instances. Note, Connection Manager Server and Connection Manager Agent are not affected.

In directory: <MFT-Install>/server/webapps/cfcc/WEB-INF/lib
- Delete the spring-beans-3.1.28.RELEASE.jar and spring-core-3.1.28.RELEASE.jar files
- Copy the spring-beans-5.3.18.jar and spring-core-5.3.18.jar files from the temporary directory
- Restart the MFT Server

Additional Information

Powered by Wolken Software