Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   TIBCO Rendezvous Vendors:   TIBCO Software
TIBCO Rendezvous RV Daemon Memory Bug Lets Remote Users Deny Service
SecurityTracker Alert ID:  1019014
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 29 2007
Impact:   Denial of service via network

Version(s): prior to 8.0; tested on 7.5.2, 7.5.3, and 7.5.4
Description:   A vulnerability was reported in TIBCO Rendezvous. A remote user can cause denial of service conditions.

A remote user can send specially crafted data to the target RV daemon to trigger a memory error and cause the target service to hang. The daemon will not respond to subsequent packets.

The vendor was notified on April 16, 2007.

Varun Uppal and Andy Davis of Information Risk Management Plc reported this vulnerability.

The original advisory is available at:

Impact:   A remote user can cause the RV daemon to stop responding.
Solution:   The vendor has issued a fixed version (8.0).
Vendor URL: (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), OS/400, UNIX (AIX), UNIX (FreeBSD), UNIX (HP/UX), UNIX (Open UNIX-SCO), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (2000), Windows (2003), Windows (XP)

Message History:   None.

 Source Message Contents

Subject:  [Full-disclosure] IRM025: TIBCO Rendezvous RVD Daemon Remote Memory

IRM Security Advisory 025

TIBCO Rendezvous RVD Daemon Remote Memory Leak DoS 

Vulnerability Type / Importance: Remote DoS / High

Problem Discovered: 16 April 2007
Vendor Contacted: 16 April 2007
Advisory Published: 29 November 2007


The TIBCO Rendezvous RVD daemon is vulnerable to a memory leak, which
when remotely triggered, prevents any further RV communication until the
daemon is manually restarted.


The RV daemon (RVD) within TIBCO's Rendezvous messaging product is
responsible for the communication of messages between RV-enabled
applications. The vulnerability exists as the result of an error in the
code that parses information within one of the headers in a TIBCO
proprietary network protocol packet. 

Technical Details:

Within a Rendezvous "wire format" TCP packet, the first four bytes
represent the number of bytes of data to expect within the packet, for

"\x00\x00\x00\x7c" //total length of data in packet
"\x99\x55\xee\xaa" // "magic" number
"\x06" // number of following bytes including null
"\x6d\x74\x79\x70\x65\x00" //the text "mtype"

In the above example the number of data bytes in the packet is "0x7c",
or 124 bytes. If this value is set to zero in a packet sent to the RVD
daemon then it stops responding to all subsequent communication. This
appears to result from a memory leak, which continues to attempt to
allocate memory. Eventually, operating system alert messages start to
appear, warning that the virtual memory in the underlying operating
system is running low.

Vendor & Patch Information:

TIBCO have fixed this issue in Rendezvous 8.0. The issue is documented
as being fixed in the release notes as follows:  

1-84MR37 - Fixed a daemon memory growth defect associated with messages
of length zero


There are no known workarounds for this vulnerability 

Tested/Affected Versions:

IRM confirmed the presence of this vulnerability in Rendezvous versions
7.5.2, 7.5.3 and 7.5.4


Research & Advisory: Varun Uppal and Andy Davis

About IRM:

Information Risk Management Plc (IRM) is a vendor independent
information risk consultancy, founded in 1998. IRM has become a leader
in client side risk assessment, technical level auditing and in the
research and development of security vulnerabilities and tools. IRM is
headquartered in London with Technical Centres in Europe and Asia as
well as Regional Offices in the Far East and North America. Please visit
our website at for further information.


All information in this advisory is provided on an 'as is' basis in the
hope that it will be useful. Information Risk Management Plc is not
responsible for any risks or occurrences caused by the application of
this information.

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC