Security Bulletin: Potential denial of service vulnerability in the Apache CXF library used in WebSphere Application Server Liberty Core affect CICS Transaction Gateway

Summary

Denial of service vulnerability in the Apache CXF library used in WebSphere Application Server Liberty Core affect CICS Transaction Gateway Web Service requests. CICS Transaction Gateway addressed the applicable CVEs.

Vulnerability Details

CVEID:CVE-2019-4720
**DESCRIPTION:**IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume all available memory. IBM X-Force ID: 172125.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172125 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

Upgrade the WebSphere Application Server Liberty Core used by CICS TG Gateway daemon. Updated WebSphere Application Server Liberty Core files used by Gateway daemon are made available on Fix Central.

Product

|

VRMF

|

APAR

|

Remediation / First Fix

—|—|—|—
CICS Transaction Gateway for Multiplatforms| 9.2.0.0
9.2.0.1
9.2.0.2| PH24764| http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FCICS+Transaction+Gateway+for+Multiplatforms&fixids=92-CICSTG-Liberty-PH24764&source=SAR
CICS Transaction Gateway for Multiplatforms| 9.1.0.0
9.1.0.1
9.1.0.2
9.1.0.3| PH24764| http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FCICS+Transaction+Gateway+for+Multiplatforms&fixids=91-CICSTG-Liberty-PH24764&source=SAR

Workarounds and Mitigations

None