TIBCO BusinessEvents and impact of recent Spring Vulnerabilities

TIBCO BusinessEvents and impact of recent Spring Vulnerabilities

book

Article ID: KB0072249

calendar_today

Updated On:

Products Versions
TIBCO BusinessEvents Enterprise Edition 5.6.0, 5.6.1, 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.2.0, 6.2.1

Description

In recent days three vulnerabilities were reported with spring libraries. For more information on the vulnerabilities, please see the following references:

This article provides clarification on impact of these vulnerabilities on supported versions of TIBCO BusinessEvents 5.x and 6.x . For the general Spring vulnerability update  from  TIBCO please refer to https://www.tibco.com/support/notices/spring-framework-vulnerability-update.

Environment

All Supported Platforms

Resolution

  1. TIBCO BusinessEvents 5.6.x is unaffected by the 3 Spring vulnerabilities .
  2. TIBCO BusinessEvents 6.x versions are not directly affected by these Spring vulnerabilities. Please note BE versions 6.2.0 and 6.2.1 ship Spring jars but these are primarily used by Apache Ignite Console and not directly by BE run-time. 
  3. Going forward, we plan to remove these affected Spring jars from BE installation in our upcoming release BE 6.2.2, so customers can add these required jars if needed to continue using them with Ignite Console. 
  4. As a short-term solution, the customers can always delete these currently vulnerable Spring jars from their BE 6.2.0 and 6.2.1 installations if they're not using them by following the below step, no action needed if BE 6.0.0, 6.1.0, 6.1.1 or 6.1.2 are used.
    • Steps: Remove all the jars under BE_HOME/lib/ext/tpcl/apache/ignite/ignite-spring where BE_HOME refers to your BE 6.2.0 or 6.2.1 installation home.

Issue/Introduction

This article highlights impact of recent Spring CVEs CVE-2022-22963, CVE-2022-22950 and CVE-2022-22965 on TIBCO BusinessEvents.