CVE-2019-8990 : What You Need to Know
Learn about CVE-2019-8990 affecting TIBCO ActiveMatrix BusinessWorks versions up to 6.4.2. Discover the impact, technical details, and mitigation steps for this critical vulnerability.
TIBCO ActiveMatrix BusinessWorks has a vulnerability in its HTTP Connector component that allows unauthenticated HTTP requests to be processed by the engine. This issue affects versions up to and including 6.4.2.
Understanding CVE-2019-8990
TIBCO ActiveMatrix BusinessWorks Fails To Properly Enforce Authentication
What is CVE-2019-8990?
The vulnerability in TIBCO ActiveMatrix BusinessWorks allows unauthenticated HTTP requests to be processed by the engine, bypassing authentication requirements.
The Impact of CVE-2019-8990
- Malicious HTTP clients can execute requests without authenticating under specific circumstances.
- The vulnerability arises when using HTTP Basic Authentication with an XML Authentication resource.
Technical Details of CVE-2019-8990
The following are technical details of the CVE-2019-8990 vulnerability:
Vulnerability Description
The HTTP Connector component of TIBCO ActiveMatrix BusinessWorks allows unauthenticated HTTP requests to be processed, potentially using credentials from prior requests.
Affected Systems and Versions
- Product: TIBCO ActiveMatrix BusinessWorks
- Vendor: TIBCO Software Inc.
- Versions affected: <= 6.4.2
Exploitation Mechanism
The vulnerability occurs when HTTP Basic Authentication is used alongside an XML Authentication resource, enabling unauthorized HTTP requests to be processed.
Mitigation and Prevention
To address CVE-2019-8990, follow these steps:
Immediate Steps to Take
- Upgrade affected systems to TIBCO ActiveMatrix BusinessWorks version 6.5.0 or higher.
Long-Term Security Practices
- Regularly update software to the latest versions.
- Implement strong authentication mechanisms.
Patching and Updates
TIBCO has released updated versions of the affected systems to mitigate this vulnerability.