TIBCO Rendezvous vulnerability
Original release date: April 8, 2014
Last revised: --
Source: TIBCO Software Inc.
Systems Affected
TIBCO Rendezvous 8.4.1 and below
TIBCO Messaging Appliance 8.7.0 and below
TIBCO Substation ES 2.8.0 and below
The following components are affected:
* TIBCO Rendezvous Daemon (rvd)
* TIBCO Rendezvous Routing Daemon (rvrd)
* TIBCO Rendezvous Secure Daemon (rvsd)
* TIBCO Rendezvous Secure Routing Daemon (rvsrd)
Description
The TIBCO Rendezvous components listed above are affected by the
following critical vulnerabilities:
CVE-2014-2541 - Access controls will not be properly enforced in some
circumstances. This may allow unauthorized users to view or modify
information.
CVE-2014-2542 - A cross-site scripting vulnerability exists which may
allow an attacker to view or modify information.
CVE-2014-2543 - A buffer overflow vulnerability exists in the processing
of data from directly connected clients which could potentially allow an
attacker to execute arbitrary code.
TIBCO has released updated versions of the affected components which
address these issues. TIBCO strongly recommends sites running the affected
components to install the applicable update as described below.
Impact
The impact of these vulnerabilities may include denial of service,
information disclosure, information modification, or arbitrary code
execution.
Solution
For each affected system, update to the corresponding software versions:
TIBCO Rendezvous 8.4.2 or higher
TIBCO Messaging Appliance 8.7.1 or higher
TIBCO Substation ES 2.8.1 or higher
References
http://www.tibco.com/mk/advisory.jsp
CVE: CVE-2014-2541, CVE-2014-2542, CVE-2014-2543