IBM495F8A5B622E9E32F013908989731DE55B06EBA005F13106957D470DDF38D810Security Bulletin: Multiple Vulnerabilities (CVE-2022-45693, CVE-2022-4568) affects CICS Transaction Gateway for Multiplatforms.
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
28.0%
Summary
Multiple Vulnerabilities (CVE-2022-45693, CVE-2022-4568) affects CICS Transaction Gateway for Multiplatforms. This fix resolves these vulnerabilities. Please note: PSIRT fixes for CICS Transaction Gateway for Multiplatforms 9.0 will be provided only for extended support customers with request through case via IBM Support.
Vulnerability Details
CVEID:CVE-2022-45693
**DESCRIPTION:**Jettison is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242274 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2022-45685
**DESCRIPTION:**Jettison is vulnerable to a denial of service, caused by a stack-based buffer overflow. By sending an overly long string using JSON data, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242596 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM CICS Transaction Gateway | 9.1 |
| IBM CICS Transaction Gateway | 9.2 |
| IBM CICS Transaction Gateway | 9.3 |
Remediation/Fixes
| Product | VRMF | APAR | Remediation / First Fix |
|---|---|---|---|
| CICS Transaction Gateway for Multiplatforms | 9.1.0.3 |
PH52872
| AIX: Fix Central Link
Linux on POWER Big Endian: Fix Central Link
Linux on Intel: Fix Central Link
Linux on IBM Z: Fix Central Link
Windows: Fix Central Link
Solaris: Fix Central Link
HP-UX: Fix Central Link
CICS Transaction Gateway for Multiplatforms| 9.2.0.2| PH52872|
AIX: Fix Central Link
Linux on POWER Big Endian: Fix Central Link
Linux on Intel: Fix Central Link
Linux on IBM Z: Fix Central Link
Windows: Fix Central Link
Solaris: Fix Central Link
HP-UX: Fix Central Link
CICS Transaction Gateway for Multiplatforms|
9.3.0.0
| PH52872|
AIX: Fix Central Link
Linux on POWER Big Endian: Fix Central Link
Linux on POWER Little Endian: Fix Central Link
Linux on Intel: Fix Central Link
Linux on IBM Z: Fix Central Link
Windows: Fix Central Link
Linux on IBM Z container: Fix Central Link
Linux on Intel container: Fix Central Link
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| cics transaction gateway | eq | 9.1 | |
| cics transaction gateway | eq | 9.2 | |
| cics transaction gateway | eq | 9.3 |
Related
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
28.0%