TIBCO is aware of the recently announced Java Spring Framework vulnerabilities (CVE-2022-22963, CVE-2022-22965, and CVE-2022-22950), with one of them being referred to as “Spring4Shell”. These vulnerabilities potentially enable an attacker to execute arbitrary code by taking advantage of poor data bindings and/or malicious expression language statements.

TIBCO is actively monitoring the still evolving situation and updates with regards to the Java Spring Framework and our Product Security Incident Response Team (PSIRT) is actively evaluating how this vulnerability may affect TIBCO products and cloud services.

The following releases of legacy ibi products are not impacted by CVE-2022-22963, CVE-2022-22965, or CVE-2022-22950, when installed with the default configuration (see Resolution section below for default configuration details):

• TIBCO WebFOCUS Client 8.2.06.33 and prior versions
• TIBCO WebFOCUS App Studio 8.2.06.33 and prior versions
• TIBCO Omni-Gen 3.15 and prior versions
• TIBCO iWay Service Manager 8.0.4 and prior versions
   

The following releases of legacy ibi products are not impacted by CVE-2022-22963, CVE-2022-22965, or CVE-2022-22950 :

• TIBCO Reporting Server (all releases)
• TIBCO Data Migrator (all releases)
• TIBCO FOCUS (all releases)

This article describes legacy ibi product releases not impacted by Spring Framework vulnerabilities.

All

TIBCO WebFOCUS Client and TIBCO WebFOCUS App Studio

Confirm that the default configuration is installed:

• Apache Tomcat
• Java 1.8
• ibi_apps (open deployment)
• ibi_html (war deployment), which does not contain Spring Framework code

To check for this configuration:

1. Open http://server:port/ibi_apps/admin,
   Where server is the name of the server hosting your installation of WebFOCUS, and port is the number of the port connection to that server.
2. Select HTTP Request Info from the Diagnostics pane. If the Application Server is not Apache Tomcat, your testing is complete. Otherwise, continue to the next step.
3. Select JVM Property Info from the Diagnostics pane. If it shows that you are running Java 1.8, your testing is complete. Otherwise, continue to the next step.
4. Open xxx:\ibi\tomcat\conf\Catalina\localhost\ibi_apps.xml. If docBase does not include .war, your testing is complete.

If your system is showing all three configurations, change your implementation to not use the .war version of the config file. Also, consider upgrading your WebFOCUS version.

For additional security, you can upgrade Apache Tomcat, as there are Spring4Shell related fixes in versions 10.0.20, 9.0.62, and 8.5.78:

• https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.78_(markt)
• https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.62_(remm)
• https://tomcat.apache.org/tomcat-10.0-doc/changelog.html#Tomcat_10.0.20_(markt)

However, if you are currently running Tomcat 8, continue to use this version.

TIBCO Omni-Gen and TIBCO iWay Service Manager

To check the Java version in Omni-Gen:

1. To access the Omni-Gen Web Console, open https://server:9526/manager/status,
   Where server is the name of the server hosting your installation of Omni-Gen.
2. Enter admin for both the Username and Password.
3. Under Server Information, see the JVM Version. Confirm that it is the recommended version for your release, as specified in the documentation.

To check the Java version in iWay Service Manager:

1. To access the iWay Service Manager Console, open http://hostname:9999,
   Where hostname is the host name where you installed iWay.
2. Under Properties, select Java Properties.
3. Confirm that the java.runtime.version is the recommended version for your release, as specified in the documentation.

You can also use the iWay Service Manager command line. Enter >show jvm to check the Java version.

Spring Framework Vulnerability Update:

• https://www.tibco.com/support/notices/spring-framework-vulnerability-update