TIBCO Data Virtualization software vulnerable to RCE via third-party flaws, claims researcher

guest · Jul 22, 2021

TIBCO Data Virtualization software vulnerable to RCE via third-party flaws, claims researcher
Vulnerabilities affect versions 8.3 and below, but vendor inadvertently addressed exploit in 8.4
July 20, 2021 (Updated: July 21, 2021)
https://portswigger.net/daily-swig/...o-rce-via-third-party-flaws-claims-researcher

A security researcher says he’s achieved remote code execution (RCE) on older, still downloadable versions of TIBCO Data Virtualization (TDV) software by chaining vulnerabilities in outdated third-party components.

The flaws in TDV, a popular enterprise data virtualization platform, arise from issues in BlazeDS and Java BeanShell libraries that were fixed several years ago.
Click to expand...

Disclosure difficulties
The researcher says he published a technical write-up on July 16 without the vendor’s consent, having found the disclosure process, which he initiated on July 5, to be “a complete disaster”.

Despite having a “fully working remote exploit” – as demonstrated in this proof-of-concept video – he claims that TIBCO declined to confirm that it would issue a security advisory urging TDV customers to update their systems to the latest version, 8.4, or that all previous versions are vulnerable.
Click to expand...

As of today (July 20), the researcher tells The Daily Swig that he has still not received a response to his last email, which he concedes was “pretty angry”.

“I think I did the right thing [in disclosing the exploit]”, he continues. “It’s time companies like TIBCO stop treating researchers like cattle, taking our reports, ignoring us and then try to sweep vulnerabilities under the rug.
Click to expand...

Log in or Sign up

TIBCO Data Virtualization software vulnerable to RCE via third-party flaws, claims researcher

guest Guest

Log in or Sign up

TIBCO Data Virtualization software vulnerable to RCE via third-party flaws, claims researcher

guest Guest

Useful Searches