Multiple vulnerabilities in TIBCO FTL

Published: 2022-01-12

Risk	High
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2021-43052 CVE-2021-43053
CWE-ID	CWE-798 CWE-200
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	TIBCO FTL Community Edition Other software / Other software solutions TIBCO FTL Developer Edition Other software / Other software solutions TIBCO FTL Enterprise Edition Other software / Other software solutions
Vendor	TIBCO

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Use of hard-coded credentials

EUVDB-ID: #VU59536

Risk: High

CVSSv3.1: 8.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-43052

CWE-ID: CWE-798 - Use of Hard-coded Credentials

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain full access to sensitive information.

The vulnerability exists due to presence of hard-coded secret used in the default realm server. A remote unauthenticated attacker can gain full access to communication on an existing eFTL channel on the affected system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

TIBCO FTL Community Edition: 6.7.0 - 6.7.2

TIBCO FTL Developer Edition: 6.7.0 - 6.7.2

TIBCO FTL Enterprise Edition: 6.7.0 - 6.7.2

External links

http://www.tibco.com/services/support/advisories
http://www.tibco.com/support/advisories/2022/01/tibco-security-advisory-january-11-2022-tibco-ftl-2021-43052

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Information disclosure

EUVDB-ID: #VU59538

Risk: Medium

CVSSv3.1: 7.4 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-43053

CWE-ID: CWE-200 - Information exposure