The TIBCO Security team is aware of the recently announced Java Spring Framework vulnerabilities (CVE-2022-22963, CVE-2022-22965), with one of them being referred to as “Spring4Shell”. These vulnerabilities potentially enable an attacker to execute arbitrary code by taking advantage of poor data bindings and/or malicious expression language statements. 

TIBCO is also aware of CVE-2022-22950, and this issue is under investigation as part of our response to CVE-2022-22963 and CVE-2022-22965

For more information about the general TIBCO investigation into this, please refer to TIBCO Public Notice Spring Framework Vulnerability Update. 

This article provides additional information on how TIBCO Spotfire products in particular are affected.

TIBCO Spotfire products with resolution or mitigation steps 

• TIBCO Spotfire Server
  • 7.11.9 LTS and higher
  • 10.3.6 LTS and higher
  • 10.10.0 LTS and higher
  • 11.0.0
  • 11.1.0
  • 11.2.0
  • 11.3.0 and higher
  • 11.4.0 LTS and higher
  • 11.5.0
  • 11.6.0 and higher
  • 11.7.0
  • 11.8.0 and higher

Note: If you have an older version than those listed above, you need to upgrade to a listed version for mitigation to be available.  
 

TIBCO Spotfire products that are not affected

• TIBCO Spotfire Analyst
• TIBCO Spotfire Desktop
• TIBCO Spotfire Automation Services
• TIBCO Spotfire Business Author / TIBCO Spotfire Consumer ("TIBCO Spotfire Web Player")
• TIBCO Spotfire Qualification
• TIBCO Enterprise Runtime for R
• TIBCO Spotfire Statistics Services
• TIBCO Spotfire Service for Python 
• TIBCO Enterprise Runtime for R - Server Edition

This article contains resolution and mitigation steps for the Spring Framework vulnerabilities (also referred to as Spring4Shell and SpringShell) for the TIBCO Spotfire product suite.

All

Resolution

For TIBCO Spotfire Server, the following Service packs (updating Spring Framework to version 5.3.18) for Mainstream and LTS versions are now available for download from the TIBCO eDelivery site. These service packs address CVE-2022-22965:

• TIBCO Spotfire Server 10.10.11
• TIBCO Spotfire Server 11.4.6
• TIBCO Spotfire Server 11.8.1

Note: The resolution or mitigation steps for CVE-2022-22965 address CVE-2022-22950 as well.

Services packs have been released for the latest Mainstream version and the current LTS versions which have not had end of support announced. Versions 11.8, 11.4 and 10.10 are thus the only versions currently receiving service packs. See Overview of TIBCO Spotfire Releases – Mainstream and LTS (Long-Term Support) for more information about this. 

Note: While not affected by the CVE:s mentioned above, there are also new Service Packs (available for download from the TIBCO eDelivery site), updating Spring Framework to version 5.3.18, for the following products:   

• TIBCO Spotfire Statistics Services 10.10.9
• TIBCO Spotfire Statistics Services 11.4.6
• TIBCO Spotfire Statistics Services 11.8.1
• TIBCO Spotfire Service for Python 1.0.7
• TIBCO Spotfire Service for Python 1.3.5
• TIBCO Spotfire Service for Python 1.11.1
• TIBCO Enterprise Runtime for R - Server Edition 1.3.7
• TIBCO Enterprise Runtime for R - Server Edition 1.7.5
• TIBCO Enterprise Runtime for R - Server Edition 1.11.1

 

Mitigation

See the attached document "Spotfire Mitigation for Spring4Shell.pdf" for mitigation steps, if upgrading to the latest service packs that address the issues (recommended) is not an option.

• Spring Framework Vulnerability Update, TIBCO Public Notice
  • https://www.tibco.com/support/notices/spring-framework-vulnerability-update