TIBCO Security Advisory: March 11, 2020 - TIBCO Spotfire Server - CVE-2020-9408

TIBCO Spotfire Server Script Trust Problem Exposes Remote Code Execution Vulnerability

Original release date: March 11, 2020
Last revised:
CVE-2020-9408
Source: TIBCO Software Inc.

Systems Affected

• TIBCO Spotfire Analytics Platform for AWS Marketplace versions 10.8.0 and below
• TIBCO Spotfire Server versions 7.11.9 and below
• TIBCO Spotfire Server versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, and 10.3.6
• TIBCO Spotfire Server versions 10.4.0, 10.5.0, 10.6.0, 10.6.1, 10.7.0, and 10.8.0

The following component is affected:

• Spotfire library

Description

The component listed above contains a vulnerability that theoretically allows an attacker with write permissions to the Spotfire Library, but not "Script Author" group permission, to modify attributes of files and objects saved to the library such that the system treats them as trusted. This could allow an attacker to cause the Spotfire Web Player, Analyst clients, and TERR Service into executing arbitrary code with the privileges of the system account that started those processes.

Impact

The impact of this vulnerability includes the theoretical possibility that an attacker could execute arbitrary code with the privileges of the system account that started the Spotfire Web Player, Analyst clients, or TERR Service.

  CVSS v3 Base Score: 9.9 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Solution

TIBCO has released updated versions of the affected systems which address this issue:

• TIBCO Spotfire Analytics Platform for AWS Marketplace versions 10.8.0 and below update to version 10.8.1 or higher
• TIBCO Spotfire Server versions 7.11.9 and below update to version 7.11.10 or higher
• TIBCO Spotfire Server versions 7.12.0, 7.13.0, 7.14.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, and 10.3.6 update to version 10.3.7 or higher
• TIBCO Spotfire Server versions 10.4.0, 10.5.0, 10.6.0, 10.6.1, 10.7.0, and 10.8.0 update to version 10.8.1 or higher

The information on this page is being provided to you on an "AS IS" and "AS-AVAILABLE" basis. The issues described on this page may or may not impact your system(s). Spotfire makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SPOTFIRE SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. The information on this page is being provided to you under the terms of your license and/or services agreement with Spotfire, and may be used only for the purposes contemplated by the agreement. If you do not have such an agreement with Spotfire, this information is provided under the Spotfire.com Terms of Use, and may be used only for the purposes contemplated by such Terms of Use.