Security vulnerability advisory for TIBCO Runtime Agent

Security vulnerability advisory for TIBCO Runtime Agent

book

Article ID: KB0108177

calendar_today

Updated On:

Products Versions
TIBCO Runtime Agent (TRA) -
Not Applicable -

Description

Description:
TIBCO Runtime Agent vulnerability

   Original release date: Jan 13, 2010
   Last revised: --
   Source: TIBCO Software Inc.


Systems Affected

   TIBCO Runtime Agent (TRA) versions below 5.6.2

   The following components are affected:

     * TIBCO Domain Utility (domainutility and domainutilitycmd)


Description

   TIBCO Runtime Agent components listed above create TIBCO domain
   properties files with weak permissions.  This may expose TIBCO domain
   administrator credentials to untrusted parties.

   TIBCO has released an update which addresses this issue.  TIBCO strongly
   recommends sites running the affected components to install the update
   and take corrective action as described below.


Impact

   An attacker local to any system participating in a TIBCO domain could
   access the credentials of the administrator of the TIBCO domain.  With
   these credentials, the attacker can then execute arbitrary code on any
   system that is a participant in the TIBCO domain.


Solution

   Change permissions on all existing TIBCO domain properties files to
   prevent access by untrusted users.

   Upgrade TIBCO Runtime Agent to version 5.6.2 or above.  If an upgrade
   is not possible at this time, explicitly set permissions on any newly
   created TIBCO domain properties files until such time as an upgrade can
   be done.


References

   http://www.tibco.com/mk/advisory.jsp
   CVE: CVE-2010-0184

Environment

Product: TIBCO TRA Version: All OS: --------------------

Resolution

TIBCO Runtime Agent vulnerability

   Original release date: Jan 13, 2010
   Last revised: --
   Source: TIBCO Software Inc.


Systems Affected

   TIBCO Runtime Agent (TRA) versions below 5.6.2

   The following components are affected:

     * TIBCO Domain Utility (domainutility and domainutilitycmd)


Description

   TIBCO Runtime Agent components listed above create TIBCO domain
   properties files with weak permissions.  This may expose TIBCO domain
   administrator credentials to untrusted parties.

   TIBCO has released an update which addresses this issue.  TIBCO strongly
   recommends sites running the affected components to install the update
   and take corrective action as described below.


Impact

   An attacker local to any system participating in a TIBCO domain could
   access the credentials of the administrator of the TIBCO domain.  With
   these credentials, the attacker can then execute arbitrary code on any
   system that is a participant in the TIBCO domain.


Solution

   Change permissions on all existing TIBCO domain properties files to
   prevent access by untrusted users.

   Upgrade TIBCO Runtime Agent to version 5.6.2 or above.  If an upgrade
   is not possible at this time, explicitly set permissions on any newly
   created TIBCO domain properties files until such time as an upgrade can
   be done.


References

   http://www.tibco.com/mk/advisory.jsp
   CVE: CVE-2010-0184

Issue/Introduction

Security vulnerability advisory for TIBCO Runtime Agent