Security Bulletin: Multiple Vulnerabilities (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) affects CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition.

Summary

IBM® Runtime Environment Java™ is used by CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. The fix removes vulnerabilities CVE-2022-21628, CVE-2022-21626, CVE-2022-21624 and CVE-2022-21619 that can allow an unauthenticated attacker to obtain sensitive information.

Vulnerability Details

CVEID:CVE-2022-21628
**DESCRIPTION:**Java SE is vulnerable to a denial of service, caused by a flaw in the Lightweight HTTP Server. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238623 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-21626
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238689 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-21624
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to update, insert or delete data resulting in a low integrity impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238699 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2022-21619
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to update, insert or delete data resulting in a low integrity impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238698 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Note: PSIRT fixes for CICS Transaction Gateway for Multiplatforms 9.0 and CICS Transaction Gateway Desktop Edition 9.0 will be provided only with extended support via IBM Support.

Remediation/Fixes

Below are the fixes provided for CICS Transaction Gateway 9.1:

Product

| VRMF|Platform|Remediation/First Fix
—|—|—|—
CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition| 9.1.0.3| AIX|

IBM Runtime Environment Java 7.0: Fix Central Link

IBM Runtime Environment Java 7.1: Fix Central Link

CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition| 9.1.0.3|

Linux on POWER Big Endian

|

IBM Runtime Environment Java 7.0: Fix Central Link

IBM Runtime Environment Java 7.1: Fix Central Link

CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition| 9.1.0.3| Linux on Intel |

IBM Runtime Environment Java 7.0: Fix Central Link

IBM Runtime Environment Java 7.1: Fix Central Link

CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition| 9.1.0.3| Linux on IBM Z|

IBM Runtime Environment Java 7.0: Fix Central Link

IBM Runtime Environment Java 7.1: Fix Central Link

CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition| 9.1.0.3| Windows|

IBM Runtime Environment Java 7.0: Fix Central Link

IBM Runtime Environment Java 7.1: Fix Central Link

CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition| 9.1.0.3| Solaris|

IBM Runtime Environment Java 7.0: Fix Central Link

Below are the fixes provided for CICS Transaction Gateway 9.2:

Product

| VRMF|Platform|Remediation/First Fix
—|—|—|—
CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition| 9.2.0.2| AIX|

Fix Central Link

CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition| 9.2.0.2|

Linux on POWER Big Endian

|

Fix Central Link

CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition| 9.2.0.2| Linux on Intel |

Fix Central Link

CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition| 9.2.0.2| Linux on IBM Z|

Fix Central Link

CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition| 9.2.0.2| Windows|

Fix Central Link

Below are the fixes provided for CICS Transaction Gateway 9.3:

Product

| VRMF|Platform|Remediation/First Fix
—|—|—|—
CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition| 9.3.0.0| AIX|

Fix Central Link

CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition| 9.3.0.0|

Linux on Intel

|

Fix Central Link

CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition| 9.3.0.0| Linux on IBM Z|

Fix Central Link

CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition| 9.3.0.0| Linux on POWER Little Endian|

Fix Central Link

CICS Transaction Gateway for Multiplatforms| 9.3.0.0| Linux on IBM Z container|

Fix Central Link

CICS Transaction Gateway for Multiplatforms| 9.3.0.0| Linux on Intel container|

Fix Central Link

CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition| 9.3.0.0| Linux on POWER Big Endian|

Fix Central Link

CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition| 9.3.0.0| Windows|

Fix Central Link

Workarounds and Mitigations

None