TIBCO(R) Web Messaging for TIBCO Enterprise Message Service™ vulnerabilities
Article ID: KB0108123
Updated On:
| Products | Versions |
|---|---|
| TIBCO Web Messaging for TIBCO Enterprise Message Service | 4.0.9 4.5.3 |
Description
TIBCO Web Messaging for TIBCO Enterprise Message Service™ vulnerabilities
Original release date: April 4, 2017
Source: Kaazing Corporation
Systems Affected
TIBCO Web Messaging for TIBCO Enterprise Message Service, version 4.5.3 and earlier
The following components are affected:
* TIBCO Web Messaging for TIBCO Enterprise Message Service server (Kaazing Gateway server, HTTP and WebSocket engine)
Description
The components listed above contain a potential vulnerability
in the handling of HTTP requests which may result in unauthorized access.
TIBCO has released updated versions of the affected software products
which addresses this issue. TIBCO strongly recommends sites running the
affected components install the applicable update as described below.
Impact
The impact of this vulnerability is information disclosure.
CVSS V3 base score: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Solution
If you have configured authentication and authorization according to the
"Checklist: Configure Authentication and Authorization”:
https://kaazing.com/doc/jms/4.0/security/o_aaa_config_authentication.html or
implemented your custom login modules conforming to the guidelines in the
"Java Authentication and Authorization Service (JAAS): LoginModule Developer’s Guide”:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/JAASLMDevGuide.html,
then you are not affected by this vulnerability.
Alternatively, for each affected system, update to the corresponding software versions:
TIBCO Web Messaging for TIBCO Enterprise Message Service, version 4.0.9 Hotfix 19
TIBCO Web Messaging for TIBCO Enterprise Message Service, version 4.5.3 Hotfix 1
References
https://support.kaazing.com/hc/en-us/articles/115004752368
Original release date: April 4, 2017
Source: Kaazing Corporation
Systems Affected
TIBCO Web Messaging for TIBCO Enterprise Message Service, version 4.5.3 and earlier
The following components are affected:
* TIBCO Web Messaging for TIBCO Enterprise Message Service server (Kaazing Gateway server, HTTP and WebSocket engine)
Description
The components listed above contain a potential vulnerability
in the handling of HTTP requests which may result in unauthorized access.
TIBCO has released updated versions of the affected software products
which addresses this issue. TIBCO strongly recommends sites running the
affected components install the applicable update as described below.
Impact
The impact of this vulnerability is information disclosure.
CVSS V3 base score: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Solution
If you have configured authentication and authorization according to the
"Checklist: Configure Authentication and Authorization”:
https://kaazing.com/doc/jms/4.0/security/o_aaa_config_authentication.html or
implemented your custom login modules conforming to the guidelines in the
"Java Authentication and Authorization Service (JAAS): LoginModule Developer’s Guide”:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jaas/JAASLMDevGuide.html,
then you are not affected by this vulnerability.
Alternatively, for each affected system, update to the corresponding software versions:
TIBCO Web Messaging for TIBCO Enterprise Message Service, version 4.0.9 Hotfix 19
TIBCO Web Messaging for TIBCO Enterprise Message Service, version 4.5.3 Hotfix 1
References
https://support.kaazing.com/hc/en-us/articles/115004752368
Issue/Introduction
TIBCO(R) Web Messaging for TIBCO Enterprise Message Service™ vulnerabilities
Feedback
Yes
No
Powered by
