TIBCO Support has received a number of inquiries regarding a recently announced vulnerability, CVE-2020-1938.  Details are available at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938.  The vulnerability is known as "Ghostcat", and impacts the Apache Tomcat server embedded in some TIBCO products.  The vulnerability impacts the Apache Jserve Protocol (AJP) connector. The TIBCO Security team has evaluated this Ghostcat vulnerability and any impacts to TIBCO Products. See below findings and recommendations. 

Most TIBCO Products are not impacted by the Ghostcat vulnerability.  Either Tomcat is not included in the product itself, or the AJP connector is disabled by default.

TIBCO Products listed below are impacted by the vulnerability listed below as identified in the vulnerability announcement.  The following products have the AJP connector enabled by default. TIBCO has published, or will soon publish articles describing how to address the vulnerability in each affected product.  In most cases, the remediation involves a configuration change to disable the AJP connector.

For TIBCO ActiveMatrix® Grid Server Software:

https://support.tibco.com/s/article/How-to-secure-Apache-TOMCAT-server-from-vulnerability-issue-CVE-2020-1938-named-as-GhostCat-for-TIBCO-ActiveMatrix-Service-Grid-and-TIBCO--Enterprise-Platform

For iProcessEngine®:

https://support.tibco.com/s/article/Disabling-the-AJP-protocol-Apache-Tomcat-R-to-prevent-the-GhostCat-vulnerability-does-not-affect-TIBCO-iProcess-R-products

For TIBCO® Patterns - Search:

https://support.tibco.com/s/article/LBN--how-to-secure-Apache-TOMCAT-server-from-vulnerability-issue-CVE-2020-1938-named-as-GhostCat-for-TIBCO-Patterns

For TIBCO MDM:

https://support.tibco.com/s/article/LBN--how-to-secure-Apache-TOMCAT-server-from-vulnerability-issue-CVE-2020-1938-named-as-GhostCat-for-TIBCO-MDM

For TIBCO Hawk®

https://support.tibco.com/s/article/Ghostcat-vulnerability-of-Tomcat-server

For TIBCO Managed File Transfer Server products:

https://support.tibco.com/s/article/How-to-Secure-Apache-Tomcat-server-from-CVE-2020-1938-GhostCat-Vulnerability-for-TIBCO-Managed-File-Transfer-Internet-Server-Command-Center

For TIBCO Fulfillment Order Management:

https://support.tibco.com/s/article/How-to-secure-Apache-TOMCAT-server-from-vulnerability-issue-named-as-GhostCat-for-Fulfillment-Order-Management

The following products will have Late Breaking News articles published shortly.  This article will be updated as the LBN articles referring to these products are published.

JasperReports Server

Mainframe WebUI

Offer and Price Engine

Order Management - Low Latency

Silver Fabric

Disclaimer:  While TIBCO provides this information regarding exposure to the known vulnerability in good faith and makes reasonable efforts to supply correct, current and high quality guidance, TIBCO is releasing the results of our findings  solely on an ‘as is’ basis without any express or implied warranties, undertakings or guarantees.