Security Bulletin: Due to the use of jackson-databind, IBM CICS Transaction Gateway for Multiplatforms is vulnerable to a denial of service (CVE-2023-35116).

Summary

There is a vulnerability in jackson-databind which is shipped as part of IBM CICS Transaction Gateway for Multiplatforms. An update to IBM CICS Transaction Gateway for Multiplatforms has been released to address the vulnerability.

Vulnerability Details

CVEID:CVE-2023-35116
**DESCRIPTION:**Fasterxml jackson-databind is vulnerable to a denial of service, caused by a stack-based overflow. By persuading a victim to open a specially crafted content, a remote attacker could exploit this vulnerability to cause a denial of service. Note: The vendor disputes the vulnerability because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258157 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading IBM CICS Transaction Gateway for Multiplatforms.

9.3

| PH59608|

Download the upgrades from Fix Central:

AIX: Fix Central Link

Linux on POWER Big Endian: Fix Central Link

Linux on POWER Little Endian: Fix Central Link

Linux on Intel: Fix Central Link

Linux on IBM Z: Fix Central Link

Windows: Fix Central Link

Linux on Intel Container: Fix Central Link

Linux on IBM Z Container: Fix Central Link

Workarounds and Mitigations

None