TIBCO BusinessEvents: Mitigation for Apache Tomcat Local Privilege Escalation vulnerability (CVE-2022-23181)
Article ID: KB0072545
Updated On:
| Products | Versions |
|---|---|
| TIBCO BusinessEvents Enterprise Edition | 5.6.1, 6.0.0, 6.1.0, 6.1.1, 6.2.0, 6.2.1 |
Description
According to https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9 the following Tomcat versions are impacted by CVE-2022-23181
Versions Affected:
TIBCO BusinessEvents Enterprise edition 6.2.1 ships Tomcat 9.0.53 libraries and TIBCO BusinessEvents Enterprise Edition 5.6.1 comes with Tomcat 9.0.27 libraries. You can find the Tomcat libraries in your BE installation under BE_HOME/lib/ext/tpcl/Apache. According to affected versions list published by Apache both versions are impacted by CVE-2022-231. Please refer to resolution below for the steps to update Tomcat jars in BE installation to mitigate the CVE-2022-23181.
Versions Affected:
| Apache Tomcat 10.1.0-M1 to 10.1.0-M8 Apache Tomcat 10.0.0-M5 to 10.0.14 Apache Tomcat 9.0.35 to 9.0.56 Apache Tomcat 8.5.55 to 8.5.73 |
TIBCO BusinessEvents Enterprise edition 6.2.1 ships Tomcat 9.0.53 libraries and TIBCO BusinessEvents Enterprise Edition 5.6.1 comes with Tomcat 9.0.27 libraries. You can find the Tomcat libraries in your BE installation under BE_HOME/lib/ext/tpcl/Apache. According to affected versions list published by Apache both versions are impacted by CVE-2022-231. Please refer to resolution below for the steps to update Tomcat jars in BE installation to mitigate the CVE-2022-23181.
Issue/Introduction
This article contains the steps to mitigate Apache Tomcat Local Privilege Escalation vulnerability (CVE-2022-23181) for the TIBCO BusinessEvents Enterprise Edition.
Environment
All Supported Platforms
Resolution
1. Stop any running BE applications, take a backup and remove following jar files from under BE_HOME/lib/ext/tpcl/apache/
catalina-ha.jar
catalina-tribes.jar
tomcat-dbcp.jar
tomcat-embed-core.jar
tomcat-embed-el.jar
tomcat-embed-jasper.jar
tomcat-embed-websocket.jar
2. Download below jars from maven repo and copy them into BE_HOME/lib/ext/tpcl/apache/ .
https://mvnrepository.com/artifact/org.apache.tomcat/tomcat-catalina-ha/9.0.58
https://mvnrepository.com/artifact/org.apache.tomcat/tomcat-tribes/9.0.58
https://mvnrepository.com/artifact/org.apache.tomcat/tomcat-dbcp/9.0.58
https://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-core/9.0.58
https://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-el/9.0.58
https://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-jasper/9.0.58
https://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-websocket/9.0.58
3. Restart your BE applications
catalina-ha.jar
catalina-tribes.jar
tomcat-dbcp.jar
tomcat-embed-core.jar
tomcat-embed-el.jar
tomcat-embed-jasper.jar
tomcat-embed-websocket.jar
2. Download below jars from maven repo and copy them into BE_HOME/lib/ext/tpcl/apache/ .
https://mvnrepository.com/artifact/org.apache.tomcat/tomcat-catalina-ha/9.0.58
https://mvnrepository.com/artifact/org.apache.tomcat/tomcat-tribes/9.0.58
https://mvnrepository.com/artifact/org.apache.tomcat/tomcat-dbcp/9.0.58
https://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-core/9.0.58
https://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-el/9.0.58
https://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-jasper/9.0.58
https://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-websocket/9.0.58
3. Restart your BE applications
Additional Information
https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23181
https://nvd.nist.gov/vuln/detail/CVE-2022-23181
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23181
https://nvd.nist.gov/vuln/detail/CVE-2022-23181
Feedback
Yes
No
Powered by
