TIBCO WebFOCUS® Releases 8207.28 and 9.0 and Spring Framework Vulnerability

TIBCO WebFOCUS® Releases 8207.28 and 9.0 and Spring Framework Vulnerability

book

Article ID: KB0072381

calendar_today

Updated On:

Products Versions
ibi WebFOCUS 8207.28 and 9.0

Description

TIBCO is aware of the recently announced Java Spring Framework vulnerabilities (CVE-2022-22963, CVE-2022-22965, and CVE-2022-22950), with one of them being referred to as “Spring4Shell”. These vulnerabilities potentially enable an attacker to execute arbitrary code by taking advantage of poor data bindings and/or malicious expression language statements.

TIBCO is actively monitoring the still evolving situation and updates with regards to the Java Spring Framework and our Product Security Incident Response Team (PSIRT) is actively evaluating how this vulnerability may affect TIBCO products and cloud services.

TIBCO WebFOCUS Client Releases 8.2.07.28 and 9.0 are not impacted by CVE-2022-22963, CVE-2022-22965, or CVE-2022-22950, when installed with the default configuration (see Resolution section below for default configuration details).

Customers requiring Spring 5.3.18 can download TIBCO WebFOCUS Client Releases 8207.28.10 and 9.0.1 from eDelivery.

Environment

All

Resolution

Confirm that the default configuration is installed:

  • Apache Tomcat
  • Java 1.8
  • ibi_apps (open deployment)
  • ibi_html (war deployment), which does not contain Spring Framework code

To check for this configuration:
  1. Open http://server:port/ibi_apps/admin,
    Where server is the name of the server hosting your installation of WebFOCUS, and port is the number of the port connection to that server.
  2. Select HTTP Request Info from the Diagnostics pane. If the Application Server is not Apache Tomcat, your testing is complete. Otherwise, continue to the next step.
  3. Select JVM Property Info from the Diagnostics pane. If it shows that you are running Java 1.8, your testing is complete. Otherwise, continue to the next step.
  4. Open xxx:\ibi\tomcat\conf\Catalina\localhost\ibi_apps.xml. If docBase does not include .war, your testing is complete.

If your system is showing all three configurations, change your implementation to not use the .war version of the config file. Also, consider upgrading your WebFOCUS version.

For additional security, you can upgrade Apache Tomcat, as there are Spring4Shell related fixes in versions 10.0.20, 9.0.62, and 8.5.78:

Issue/Introduction

This article describes TIBCO WebFOCUS® releases not impacted by Java Spring Framework vulnerabilities.

Additional Information

Spring Framework Vulnerability Update
Legacy ibi Releases and Spring Framework Vulnerability
Powered by Wolken Software