Security Bulletin: There are multiple vulnerabilities that affect CICS Transaction Gateway for Multiplatforms (CVE-2023-50310 and CVE-2023-50311).

Summary

There are multiple vulnerabilities that affect CICS Transaction Gateway for Multiplatforms. An update to CICS Transaction Gateway for Multiplatforms has been released to address these vulnerabilities.

Vulnerability Details

CVEID:CVE-2023-50311
**DESCRIPTION:**IBM CICS Transaction Gateway could disclose sensitive path information to an attacker that could reveal through debugging or error messages.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/273614 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2023-50310
**DESCRIPTION:**IBM CICS Transaction Gateway transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/273612 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading IBM CICS Transaction Gateway for Multiplatforms.

9.2.0.2

|

PH60425

|

Download the upgrades from Fix Central:

AIX: Fix Central Link

Linux on POWER Big Endian: Fix Central Link

Linux on Intel: Fix Central Link

Linux on IBM Z: Fix Central Link

Windows: Fix Central Link

IBM CICS Transaction Gateway for Multiplatforms|

9.3.0.0

|

PH60425

|

Download the upgrades from Fix Central:

AIX: Fix Central Link

Linux on POWER Big Endian: Fix Central Link

Linux on POWER Little Endian: Fix Central Link

Linux on Intel: Fix Central Link

Linux on IBM Z: Fix Central Link

Windows: Fix Central Link

Linux on Intel Container: Fix Central Link

Linux on IBM Z Container: Fix Central Link

Workarounds and Mitigations

None