TIBCO Managed File Transfer Command Center and Internet Server - Mitigation for Spring Framework Vulnerabilities
book
Article ID: KB0072430
calendar_today
Updated On:
Products
Versions
TIBCO Managed File Transfer Command Center
8.2.x, 8.3.x, 8.4.x
Description
TIBCO is aware of the recently announced Java Spring Framework vulnerabilities (CVE-2022-22963, CVE-2022-22965), with one of them being referred to as “Spring4Shell”.
TIBCO continues to make the investigation and remediation of this vulnerability its top priority. We will provide updates for the TIBCO MFT product suite via this article if more information becomes available. Please contact TIBCO Support with any questions.
TIBCO Managed File Transfer products that may be affected by CVE-2022-22963 and CVE-2022-22965
MFT Internet Server and Command Center v8.2.x, mitigation available
MFT Internet Server and Command Center v8.3.x, mitigation available
MFT Internet Server and Command Center v8.4.x, mitigation available
TIBCO Managed File Transfer products that are not affected
TIBCO® Managed File Transfer Platform Server for Windows
TIBCO® Managed File Transfer Platform Server for Unix
TIBCO® Managed File Transfer Platform Server for z/Linux
TIBCO® Managed File Transfer Platform Server for z/OS
TIBCO® Managed File Transfer Platform Server for IBMi
Environment
All supported environments
Resolution
Mitigation
These instructions are based on the mitigation documented by Spring Framework vulnerable versions of spring jar files.
TIBCO recommends replacing the spring jar files manually as follows:
- After unzipping spring-5.3.18-dist.zip, navigate to:
spring-framework-5.3.18\libs
Copy the spring-beans-5.3.18.jar and spring-core-5.3.18.jar files from this directory
This change should be made to all Command Center and Internet Server instances. Note, Connection Manager Server and Connection Manager Agent are not affected.
In directory: <MFT-Install>/server/webapps/cfcc/WEB-INF/lib
- Delete the spring-beans-3.1.28.RELEASE.jar and spring-core-3.1.28.RELEASE.jar files
- Copy the spring-beans-5.3.18.jar and spring-core-5.3.18.jar files from the temporary directory
- Restart the MFT Server
Issue/Introduction
TIBCO Managed File Transfer Command Center and Internet Server - Mitigation for Spring Framework Vulnerabilities