TIBCO Rendezvous vulnerability

   Original release date: April 8, 2014
   Last revised: --
   Source: TIBCO Software Inc.


Systems Affected

   TIBCO Rendezvous 8.4.1 and below
   TIBCO Messaging Appliance 8.7.0 and below
   TIBCO Substation ES 2.8.0 and below

   The following components are affected:

     * TIBCO Rendezvous Daemon (rvd)
     * TIBCO Rendezvous Routing Daemon (rvrd)
     * TIBCO Rendezvous Secure Daemon (rvsd)
     * TIBCO Rendezvous Secure Routing Daemon (rvsrd)
 

Description

   The TIBCO Rendezvous components listed above are affected by the
   following critical vulnerabilities:

   CVE-2014-2541 - Access controls will not be properly enforced in some
   circumstances.  This may allow unauthorized users to view or modify
   information.

   CVE-2014-2542 - A cross-site scripting vulnerability exists which may
   allow an attacker to view or modify information.

   CVE-2014-2543 - A buffer overflow vulnerability exists in the processing
   of data from directly connected clients which could potentially allow an
   attacker to execute arbitrary code.

   TIBCO has released updated versions of the affected components which
   address these issues. TIBCO strongly recommends sites running the affected
   components to install the applicable update as described below.


Impact

   The impact of these vulnerabilities may include denial of service,
   information disclosure, information modification, or arbitrary code
   execution.


Solution

   For each affected system, update to the corresponding software versions:

   TIBCO Rendezvous 8.4.2 or higher
   TIBCO Messaging Appliance 8.7.1 or higher
   TIBCO Substation ES 2.8.1 or higher


References

   http://www.tibco.com/mk/advisory.jsp
   CVE: CVE-2014-2541, CVE-2014-2542, CVE-2014-2543