WARNING: TWO CRITICAL VULNERABILITIES IN TIBCO (OPERATIONAL INTELLIGENCE) HAWK THAT CAN LEAD TO SYSTEM MANIPULATION WITH USER PRIVILEGES AND CAN ALLOW THE ATTACKER TO READ SENSITIVE FILES, PATCH IMMEDIATELY!

Image
Decorative image
Published : 14/11/2024

Reference:
Advisory #2024-266

Version:
1.0

Affected software:
TIBCO Hawk versions: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, and 6.3.0
TIBCO Operational Intelligence Hawk versions: 7.2.0, 7.2.1, and 7.2.2

Type:
Cross-site Scripting (XSS) & System Manipulation

CVE/CVSS:
CVE-2024-10217
CVSS 9.2(CVSS:3.1/AV:N/AC:H/PR:H/UI:P/S:U/C:H/I:H/A:N)CVE-2024-10218
CVSS 9.2(CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N)

Sources

Risks

TIBCO Operational Intelligence Hawk is a platform to manage distributed applications and systems. It is mainly used by system admins. There is no information whether the two mentioned vulnerabilities have been actively exploited.

These two critical vulnerabilities have a high impact in Confidentiality and Integrity, while there is no impact in Availability.

Description

CVE-2024-10217
Allows an attacker who performs an XSS attack to manipulate the system with user privileges.

CVE-2024-10218
Allows an attacker to read sensitive files in host filesystem with the same privilege as the server’s process.
In both vulnerabilities, the affected components are the mar.jar (monitoring archive utility) and monotoringconsolecommon.jar.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References