Security Bulletin: Vulnerability in IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.9 affecting CICS Transaction Gateway Desktop Edition

Summary

There is a vulnerability which is related to HTTP injection in IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.9 used by CICS Transaction Gateway Desktop Edition. CICS Transaction Gateway Desktop Edition has addressed the applicable CVE.

Vulnerability Details

CVEID:CVE-2022-34165
**DESCRIPTION:**IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.9 are vulnerable to HTTP header injection, caused by improper validation. This could allow an attacker to conduct various attacks against the vulnerable system, including cache poisoning and cross-site scripting. IBM X-Force ID: 229429.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229429 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

Apply the applicable CICS Transaction Gateway Desktop Editions APAR below.

Product

|

VRMF

|

APAR

|

Remediation / First Fix

—|—|—|—
CICS Transaction Gateway Desktop Edition for Multiplatforms| 9.1.0.3| PH51694| All Platforms Link
CICS Transaction Gateway Desktop Edition for Multiplatforms| 9.2.0.2| PH51694|

All Platforms Link

CICS Transaction Gateway Desktop Edition for Multiplatforms| 9.3.0.0| PH51694|

AIX Link

pLinux Link

Windows Link

iLinux Link

zLinux Link

x86 Container Link

390x Container Link

Workarounds and Mitigations

None