book
Article ID: KB0072381
calendar_today
Updated On:
Description
TIBCO is aware of the recently announced Java Spring Framework vulnerabilities (CVE-2022-22963, CVE-2022-22965, and CVE-2022-22950), with one of them being referred to as “Spring4Shell”. These vulnerabilities potentially enable an attacker to execute arbitrary code by taking advantage of poor data bindings and/or malicious expression language statements.
TIBCO is actively monitoring the still evolving situation and updates with regards to the Java Spring Framework and our Product Security Incident Response Team (PSIRT) is actively evaluating how this vulnerability may affect TIBCO products and cloud services.
TIBCO WebFOCUS Client Releases 8.2.07.28 and 9.0 are not impacted by CVE-2022-22963, CVE-2022-22965, or CVE-2022-22950, when installed with the default configuration (see Resolution section below for default configuration details).
Customers requiring Spring 5.3.18 can download TIBCO WebFOCUS Client Releases 8207.28.10 and 9.0.1 from eDelivery.
Resolution
Confirm that the default configuration is installed:
- Apache Tomcat
- Java 1.8
- ibi_apps (open deployment)
- ibi_html (war deployment), which does not contain Spring Framework code
To check for this configuration:
- Open http://server:port/ibi_apps/admin,
Where server is the name of the server hosting your installation of WebFOCUS, and port is the number of the port connection to that server. - Select HTTP Request Info from the Diagnostics pane. If the Application Server is not Apache Tomcat, your testing is complete. Otherwise, continue to the next step.
- Select JVM Property Info from the Diagnostics pane. If it shows that you are running Java 1.8, your testing is complete. Otherwise, continue to the next step.
- Open xxx:\ibi\tomcat\conf\Catalina\localhost\ibi_apps.xml. If docBase does not include .war, your testing is complete.
If your system is showing all three configurations, change your implementation to not use the .war version of the config file. Also, consider upgrading your WebFOCUS version.
For additional security, you can upgrade Apache Tomcat, as there are Spring4Shell related fixes in versions 10.0.20, 9.0.62, and 8.5.78:
Issue/Introduction
This article describes TIBCO WebFOCUS® releases not impacted by Java Spring Framework vulnerabilities.
Additional Information
Spring Framework Vulnerability Update
Legacy ibi Releases and Spring Framework Vulnerability