TIBCO Security Advisory: May 28, 2024 - TIBCO Managed File Transfer Platform Server for Unix - CVE-2024-4407

TIBCO Managed File Transfer Platform Server for Unix and z/Linux privilege escalation vulnerability

Original release date: May 28, 2024
Last revised: —
CVE-2024-4407
Source: TIBCO Software Inc.

Products Affected
TIBCO Managed File Transfer Platform Server for Unix versions 8.0.0, 8.0.1, 8.1.0, 8.1.1

TIBCO Managed File Transfer Platform Server for z/Linux versions 8.0.0, 8.0.1, 8.1.0, 8.1.1

Component Affected:

TIBCO Managed File Transfer Platform Server for Unix

Description

The components listed above contain a vulnerability that allows Platform Server clients to bypass user-id/password authentication and transfer files as root or execute commands as root.

Impact

The impact of this vulnerability includes the theoretical possibility that allows Platform Server clients to bypass user-id/password authentication and transfer files as root or even execute commands as root. For this issue to occur, the product configuration must deviate from the suggested Platform Server configuration standards. This issue only occurs when the Platform Server is started as root; when the Platform Server is started as non-root, files cannot be transferred as root, and commands cannot be executed as root.

**CVSS v3 Base Score:**9.0 (Critical) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Solution

Upgrade the TIBCO Platform Server for UNIX to 8.0.2 or 8.1.2.

Upgrade the TIBCO Platform Server for z/Linux to 8.0.2 or 8.1.2

References

<https://community.tibco.com/advisories/&gt;
CVE-2024-4407

• Report Advisory