TIBCO Active Matrix Service Grid Administrator Unauthenticated Download of
Sensitive File

  Original release date: April 24, 2019
  Last revised: --
  Source: TIBCO Software Inc.


Systems Affected

  TIBCO ActiveMatrix BPM versions 4.2.0 and below

  TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric versions 4.2.0
    and below

  TIBCO ActiveMatrix Policy Director versions 1.1.0 and below

  TIBCO ActiveMatrix Service Bus versions 3.3.0 and below

  TIBCO ActiveMatrix Service Grid versions 3.3.1 and below

  TIBCO ActiveMatrix Service Grid Distribution for TIBCO Silver Fabric
    versions 3.3.0 and below

  TIBCO Silver Fabric Enabler for ActiveMatrix BPM versions 1.4.1 and below

  TIBCO Silver Fabric Enabler for ActiveMatrix Service Grid versions 1.3.1 and
    below

  The following component is affected:

    * administrative web server


Description

  The component listed above contains a vulnerability that could theoretically
  allow an unauthenticated user to download a file with credentials
  information.


Impact

  The impact of this vulnerability includes the theoretical possibility
  that credentials could be disclosed.

  CVSS v3 Base Score: 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
 

Security Advisory regarding TIBCO Active Matrix Service Grid Administrator Unauthenticated Download of Sensitive File

Systems Affected TIBCO ActiveMatrix BPM versions 4.2.0 and below TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric versions 4.2.0 and below TIBCO ActiveMatrix Policy Director versions 1.1.0 and below TIBCO ActiveMatrix Service Bus versions 3.3.0 and below TIBCO ActiveMatrix Service Grid versions 3.3.1 and below TIBCO ActiveMatrix Service Grid Distribution for TIBCO Silver Fabric versions 3.3.0 and below TIBCO Silver Fabric Enabler for ActiveMatrix BPM versions 1.4.1 and below TIBCO Silver Fabric Enabler for ActiveMatrix Service Grid versions 1.3.1 and below The following component is affected: * administrative web server

  TIBCO has released updated versions of the affected components which address
  these issues.

  In addition to the updates, customers should verify that keystore files used
  in conjunction with the affected component are password protected.

  For each affected system, update to the corresponding software versions:

  TIBCO ActiveMatrix BPM versions 4.2.0 and below update to version 4.3.0
    or higher

  TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric versions 4.2.0
    and below update to 4.3.0 or higher

  TIBCO ActiveMatrix Policy Director versions 1.1.0 and below update to
    version 2.0.0 or higher. Due to the scheduled retirement of this product
    in early 2021, customers are strongly encouraged to contact TIBCO Support
    in order to explore alternative paths for remediation.

  TIBCO ActiveMatrix Service Bus versions 3.3.0 and below update to
    TIBCO ActiveMatrix Service Grid version 3.4.0 or higher (product
    functionality has been consolidated)

  TIBCO ActiveMatrix Service Grid versions 3.3.1 and below update to version
    3.4.0 or higher

  TIBCO ActiveMatrix Service Grid Distribution for TIBCO Silver Fabric versions
    3.3.0 and below update to version 3.4.0 or higher

  TIBCO Silver Fabric Enabler for ActiveMatrix BPM versions 1.4.1 and below
    update to version 1.4.2 or higher

  TIBCO Silver Fabric Enabler for ActiveMatrix Service Grid versions 1.3.1 and
    below update to version 1.3.2 or higher
 

  http://www.tibco.com/services/support/advisories
  CVE-2019-8993