Product:TIBCO Spotfire Server
Versions:All
Summary:
This article contains resolution and mitigation steps for the Spring Framework vulnerabilities (also referred to as Spring4Shell and SpringShell) for the TIBCO Spotfire product suite.
Details:
The TIBCO Security team is aware of the recently announced Java Spring Framework vulnerabilities (CVE-2022-22963, CVE-2022-22965), with one of them being referred to as “Spring4Shell”. These vulnerabilities potentially enable an attacker to execute arbitrary code by taking advantage of poor data bindings and/or malicious expression language statements.
TIBCO is also aware of CVE-2022-22950, and this issue is under investigation as part of our response to CVE-2022-22963 and CVE-2022-22965
For more information about the general TIBCO investigation into this, please refer to TIBCO Public Notice Spring Framework Vulnerability Update.
This article provides additional information on how TIBCO Spotfire products in particular are affected.
Resolution:
Services packs have been released for the latest Mainstream version and the current LTS versions which have not had end of support announced. Versions 11.8, 11.4 and 10.10 are thus the only versions currently receiving service packs. See Overview of TIBCO Spotfire Releases – Mainstream and LTS (Long-Term Support) for more information about this.
Note: While not affected by the CVE:s mentioned above, there are also new Service Packs (available for download from the TIBCO eDelivery site), updating Spring Framework to version 5.3.18, for the following products:
Versions:All
Summary:
This article contains resolution and mitigation steps for the Spring Framework vulnerabilities (also referred to as Spring4Shell and SpringShell) for the TIBCO Spotfire product suite.
Details:
The TIBCO Security team is aware of the recently announced Java Spring Framework vulnerabilities (CVE-2022-22963, CVE-2022-22965), with one of them being referred to as “Spring4Shell”. These vulnerabilities potentially enable an attacker to execute arbitrary code by taking advantage of poor data bindings and/or malicious expression language statements.
TIBCO is also aware of CVE-2022-22950, and this issue is under investigation as part of our response to CVE-2022-22963 and CVE-2022-22965
For more information about the general TIBCO investigation into this, please refer to TIBCO Public Notice Spring Framework Vulnerability Update.
This article provides additional information on how TIBCO Spotfire products in particular are affected.
TIBCO Spotfire products with resolution or mitigation steps
- TIBCO Spotfire Server
- 7.11.9 LTS and higher
- 10.3.6 LTS and higher
- 10.10.0 LTS and higher
- 11.0.0
- 11.1.0
- 11.2.0
- 11.3.0 and higher
- 11.4.0 LTS and higher
- 11.5.0
- 11.6.0 and higher
- 11.7.0
- 11.8.0 and higher
TIBCO Spotfire products that are not affected
- TIBCO Spotfire Analyst
- TIBCO Spotfire Desktop
- TIBCO Spotfire Automation Services
- TIBCO Spotfire Business Author / TIBCO Spotfire Consumer ("TIBCO Spotfire Web Player")
- TIBCO Spotfire Qualification
- TIBCO Enterprise Runtime for R
- TIBCO Spotfire Statistics Services
- TIBCO Spotfire Service for Python
- TIBCO Enterprise Runtime for R - Server Edition
Resolution:
Resolution
For TIBCO Spotfire Server, the following Service packs (updating Spring Framework to version 5.3.18) for Mainstream and LTS versions are now available for download from the TIBCO eDelivery site. These service packs address CVE-2022-22965:- TIBCO Spotfire Server 10.10.11
- TIBCO Spotfire Server 11.4.6
- TIBCO Spotfire Server 11.8.1
Services packs have been released for the latest Mainstream version and the current LTS versions which have not had end of support announced. Versions 11.8, 11.4 and 10.10 are thus the only versions currently receiving service packs. See Overview of TIBCO Spotfire Releases – Mainstream and LTS (Long-Term Support) for more information about this.
Note: While not affected by the CVE:s mentioned above, there are also new Service Packs (available for download from the TIBCO eDelivery site), updating Spring Framework to version 5.3.18, for the following products:
- TIBCO Spotfire Statistics Services 10.10.9
- TIBCO Spotfire Statistics Services 11.4.6
- TIBCO Spotfire Statistics Services 11.8.1
- TIBCO Spotfire Service for Python 1.0.7
- TIBCO Spotfire Service for Python 1.3.5
- TIBCO Spotfire Service for Python 1.11.1
- TIBCO Enterprise Runtime for R - Server Edition 1.3.7
- TIBCO Enterprise Runtime for R - Server Edition 1.7.5
- TIBCO Enterprise Runtime for R - Server Edition 1.11.1