CVE-2019-8990

Name of the Vulnerable Software and Affected Versions TIBCO ActiveMatrix BusinessWorks versions up to and including 6.4.2

Description The HTTP Connector component of TIBCO ActiveMatrix BusinessWorks contains an issue that allows unauthenticated HTTP requests to be processed by the BusinessWorks engine when authentication is required, but only under specific conditions. This occurs when the HTTP "Basic Authentication" policy is used with an XML Authentication resource. In such cases, the BusinessWorks engine might use credentials from a prior HTTP request for authorization purposes.

Recommendations For versions up to and including 6.4.2, update to a version later than 6.4.2 to resolve the issue. As a temporary workaround, consider disabling the use of HTTP "Basic Authentication" policy with XML Authentication resources until a patch is available. Restrict access to the HTTP Connector component to minimize the risk of exploitation. Avoid using credentials from prior HTTP requests for authorization purposes in the affected configuration.