CVE-2021-35497: TIBCO FTL unvalidated SAN in client certificates
First published: Tue Oct 05 2021(Updated: )
The FTL Server (tibftlserver) and Docker images containing tibftlserver components of TIBCO Software Inc.'s TIBCO ActiveSpaces - Community Edition, TIBCO ActiveSpaces - Developer Edition, TIBCO ActiveSpaces - Enterprise Edition, TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, TIBCO FTL - Enterprise Edition, TIBCO eFTL - Community Edition, TIBCO eFTL - Developer Edition, and TIBCO eFTL - Enterprise Edition contain a vulnerability that theoretically allows a non-administrative, authenticated FTL user to trick the affected components into creating illegitimate certificates. These maliciously generated certificates can be used to enable man-in-the-middle attacks or to escalate privileges so that the malicious user has administrative privileges. Affected releases are TIBCO Software Inc.'s TIBCO ActiveSpaces - Community Edition: versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.6.1, and 4.6.2, TIBCO ActiveSpaces - Developer Edition: versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.6.1, and 4.6.2, TIBCO ActiveSpaces - Enterprise Edition: versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.6.1, and 4.6.2, TIBCO FTL - Community Edition: versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0, TIBCO FTL - Developer Edition: versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0, TIBCO FTL - Enterprise Edition: versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0, TIBCO eFTL - Community Edition: versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0, TIBCO eFTL - Developer Edition: versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0, and TIBCO eFTL - Enterprise Edition: versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0.
Credit: security@tibco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| TIBCO ActiveSpaces | =4.3.0 | |
| TIBCO ActiveSpaces | =4.3.0 | |
| TIBCO ActiveSpaces | =4.3.0 | |
| TIBCO ActiveSpaces | =4.4.0 | |
| TIBCO ActiveSpaces | =4.4.0 | |
| TIBCO ActiveSpaces | =4.4.0 | |
| TIBCO ActiveSpaces | =4.5.0 | |
| TIBCO ActiveSpaces | =4.5.0 | |
| TIBCO ActiveSpaces | =4.5.0 | |
| TIBCO ActiveSpaces | =4.6.0 | |
| TIBCO ActiveSpaces | =4.6.0 | |
| TIBCO ActiveSpaces | =4.6.0 | |
| TIBCO ActiveSpaces | =4.6.1 | |
| TIBCO ActiveSpaces | =4.6.1 | |
| TIBCO ActiveSpaces | =4.6.1 | |
| TIBCO ActiveSpaces | =4.6.2 | |
| TIBCO ActiveSpaces | =4.6.2 | |
| TIBCO ActiveSpaces | =4.6.2 | |
| TIBCO eFTL | =6.2.0 | |
| TIBCO eFTL | =6.2.0 | |
| TIBCO eFTL | =6.2.0 | |
| TIBCO eFTL | =6.3.0 | |
| TIBCO eFTL | =6.3.0 | |
| TIBCO eFTL | =6.3.0 | |
| TIBCO eFTL | =6.3.1 | |
| TIBCO eFTL | =6.3.1 | |
| TIBCO eFTL | =6.3.1 | |
| TIBCO eFTL | =6.4.0 | |
| TIBCO eFTL | =6.4.0 | |
| TIBCO eFTL | =6.4.0 | |
| TIBCO eFTL | =6.5.0 | |
| TIBCO eFTL | =6.5.0 | |
| TIBCO eFTL | =6.5.0 | |
| TIBCO eFTL | =6.6.0 | |
| TIBCO eFTL | =6.6.0 | |
| TIBCO eFTL | =6.6.0 | |
| TIBCO eFTL | =6.6.1 | |
| TIBCO eFTL | =6.6.1 | |
| TIBCO eFTL | =6.6.1 | |
| TIBCO eFTL | =6.7.0 | |
| TIBCO eFTL | =6.7.0 | |
| TIBCO eFTL | =6.7.0 | |
| TIBCO FTL - Enterprise Edition | =6.2.0 | |
| TIBCO FTL - Enterprise Edition | =6.2.0 | |
| TIBCO FTL - Enterprise Edition | =6.2.0 | |
| TIBCO FTL - Enterprise Edition | =6.3.0 | |
| TIBCO FTL - Enterprise Edition | =6.3.0 | |
| TIBCO FTL - Enterprise Edition | =6.3.0 | |
| TIBCO FTL - Enterprise Edition | =6.3.1 | |
| TIBCO FTL - Enterprise Edition | =6.3.1 | |
| TIBCO FTL - Enterprise Edition | =6.3.1 | |
| TIBCO FTL - Enterprise Edition | =6.4.0 | |
| TIBCO FTL - Enterprise Edition | =6.4.0 | |
| TIBCO FTL - Enterprise Edition | =6.4.0 | |
| TIBCO FTL - Enterprise Edition | =6.5.0 | |
| TIBCO FTL - Enterprise Edition | =6.5.0 | |
| TIBCO FTL - Enterprise Edition | =6.5.0 | |
| TIBCO FTL - Enterprise Edition | =6.6.0 | |
| TIBCO FTL - Enterprise Edition | =6.6.0 | |
| TIBCO FTL - Enterprise Edition | =6.6.0 | |
| TIBCO FTL - Enterprise Edition | =6.6.1 | |
| TIBCO FTL - Enterprise Edition | =6.6.1 | |
| TIBCO FTL - Enterprise Edition | =6.6.1 | |
| TIBCO FTL - Enterprise Edition | =6.7.0 | |
| TIBCO FTL - Enterprise Edition | =6.7.0 | |
| TIBCO FTL - Enterprise Edition | =6.7.0 |
Remedy
TIBCO has released updated versions of the affected components which address these issues. TIBCO ActiveSpaces - Community Edition versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.6.1, and 4.6.2 update to version 4.7.0 or later TIBCO ActiveSpaces - Developer Edition versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.6.1, and 4.6.2 update to version 4.7.0 or later TIBCO ActiveSpaces - Enterprise Edition versions 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.6.1, and 4.6.2 update to version 4.7.0 or later TIBCO FTL - Community Edition versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0 update to version 6.7.1 or later TIBCO FTL - Developer Edition versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0 update to version 6.7.1 or later TIBCO FTL - Enterprise Edition versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0 update to version 6.7.1 or later TIBCO eFTL - Community Edition versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0 update to version 6.7.1 or later TIBCO eFTL - Developer Edition versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0 update to version 6.7.1 or later TIBCO eFTL - Enterprise Edition versions 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.6.1, and 6.7.0 update to version 6.7.1 or later
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-35497?
CVE-2021-35497 has a critical severity due to its impact on TIBCO ActiveSpaces and TIBCO eFTL, allowing unauthorized remote access.
How do I fix CVE-2021-35497?
To fix CVE-2021-35497, update your TIBCO ActiveSpaces and TIBCO eFTL to the latest patched versions as recommended by TIBCO.
Which versions are affected by CVE-2021-35497?
CVE-2021-35497 affects TIBCO ActiveSpaces versions 4.3.0 to 4.6.2 and TIBCO eFTL versions 6.2.0 to 6.7.0.
What are the potential consequences of CVE-2021-35497?
The exploitation of CVE-2021-35497 could lead to unauthorized access to sensitive data and disruption of services.
Is there a workaround for CVE-2021-35497?
While the best practice is to apply the security updates, temporary network restrictions can be put in place to mitigate the risk associated with CVE-2021-35497.
- agent/references
- agent/type
- agent/softwarecombine
- agent/remedy
- agent/severity
- agent/weakness
- agent/title
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/tibco
- canonical/tibco activespaces
- version/tibco activespaces/4.3.0
- version/tibco activespaces/4.4.0
- version/tibco activespaces/4.5.0
- version/tibco activespaces/4.6.0
- version/tibco activespaces/4.6.1
- version/tibco activespaces/4.6.2
- canonical/tibco eftl
- version/tibco eftl/6.2.0
- version/tibco eftl/6.3.0
- version/tibco eftl/6.3.1
- version/tibco eftl/6.4.0
- version/tibco eftl/6.5.0
- version/tibco eftl/6.6.0
- version/tibco eftl/6.6.1
- version/tibco eftl/6.7.0
- canonical/tibco ftl - enterprise edition
- version/tibco ftl - enterprise edition/6.2.0
- version/tibco ftl - enterprise edition/6.3.0
- version/tibco ftl - enterprise edition/6.3.1
- version/tibco ftl - enterprise edition/6.4.0
- version/tibco ftl - enterprise edition/6.5.0
- version/tibco ftl - enterprise edition/6.6.0
- version/tibco ftl - enterprise edition/6.6.1
- version/tibco ftl - enterprise edition/6.7.0