Critical RCE Vulnerability Discovered in Spotfire Products: CVE-2024-3330 (CVSS 9.9)
Cloud Software Group has issued an urgent security advisory regarding a critical vulnerability (CVE-2024-3330) in its popular data visualization and analytics platform, Spotfire. This vulnerability, rated with a severity score of 9.9, allows attackers to execute arbitrary code on affected systems, potentially leading to full system compromise.
The CVE-2024-3330 vulnerability stems from insufficient input validation, allowing low-privileged attackers with read/write access to craft malicious Analyst files. These files can be used to execute arbitrary code on the host running Spotfire Client, leading to remote code execution.
Impact Scenarios:
- Installed Windows Client: An attacker can execute arbitrary code on the host system. Exploitation requires user interaction, such as opening a malicious file.
- Web Player (Business Author): An attacker can run arbitrary code as the account running the Web Player process.
- Automation Services: An attacker can execute arbitrary code through the Automation Services component.
The vulnerability impacts the following Spotfire components and versions:
- Spotfire Analyst: Versions 12.0.9 and earlier, 12.1.0 through 14.3.0
- Spotfire Server: Versions 12.0.10 and earlier, 12.1.0 through 14.3.0
- Spotfire for AWS Marketplace: Version 14.3.0 and earlier
The compromised components include:
- Spotfire Analyst
- Spotfire Web Player
- Spotfire Automation Services
Cloud Software Group has responded promptly by releasing updated versions that address this critical vulnerability. Users are strongly urged to upgrade to the fixed versions as listed below:
Spotfire Analyst:
- Versions 12.0.9 and earlier: Upgrade to version 12.0.10 or higher
- Versions 12.1.0 through 14.0.2: Upgrade to version 14.0.3 or higher
- Versions 14.1.0 through 14.3.0: Upgrade to version 14.4.0
Spotfire Server:
- Versions 12.0.10 and earlier: Upgrade to version 12.0.11
- Versions 12.1.0 through 14.0.3: Upgrade to version 14.0.4 or higher
- Versions 14.2.0 and 14.3.0: Upgrade to version 14.4.0
Spotfire for AWS Marketplace:
- Version 14.3.0 and earlier: Upgrade to version 14.4.0 or higher
To safeguard against the potential exploitation of CVE-2024-3330, it is crucial for all Spotfire users to promptly apply the recommended updates. Failing to do so leaves systems vulnerable to attacks that can result in unauthorized code execution, data breaches, and significant operational disruptions.
