There is a vulnerability in jackson-databind which is shipped as part of IBM CICS Transaction Gateway for Multiplatforms. An update to IBM CICS Transaction Gateway for Multiplatforms has been released to address the vulnerability.
CVEID:CVE-2023-35116
**DESCRIPTION:**Fasterxml jackson-databind is vulnerable to a denial of service, caused by a stack-based overflow. By persuading a victim to open a specially crafted content, a remote attacker could exploit this vulnerability to cause a denial of service. Note: The vendor disputes the vulnerability because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258157 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM CICS Transaction Gateway for Multiplatforms | 9.3 |
IBM strongly recommends addressing the vulnerability now by upgrading IBM CICS Transaction Gateway for Multiplatforms.
Product | Version | APAR | Remediation/Fix |
---|---|---|---|
IBM CICS Transaction Gateway for Multiplatforms |
9.3
| PH59608|
Download the upgrades from Fix Central:
AIX: Fix Central Link
Linux on POWER Big Endian: Fix Central Link
Linux on POWER Little Endian: Fix Central Link
Linux on Intel: Fix Central Link
Linux on IBM Z: Fix Central Link
Windows: Fix Central Link
Linux on Intel Container: Fix Central Link
Linux on IBM Z Container: Fix Central Link
None
CPE | Name | Operator | Version |
---|---|---|---|
cics transaction gateway for multiplatforms | eq | 9.3 |