Security Bulletin: IBM CICS TX Advanced is vulnerable to a Denial of Service (CVE-2021-33294 and CVE-2020-21047).

Summary

The Elfutils package is used by IBM CICS TX Advanced in order to read, create and modify ELF (Executable and Linkable Format) binary files. The Elfutils package is vulnerable to a Denial of Service (CVE-2021-33294 and CVE-2020-21047). An update to IBM CICS TX Advanced has been released to address the vulnerability.

Vulnerability Details

CVEID:CVE-2021-33294
**DESCRIPTION:**elfutils is vulnerable to a denial of service, caused by an infinite loop was found in the function handle_symtab in readelf.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261942 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-21047
**DESCRIPTION:**elfutils is vulnerable to a denial of service, caused by a out-of-bounds write, off-by-one, and reachable assertion flaw in the libcpu component. By persuading a victim to open a specially crafted ELF file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266323 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading IBM CICS TX Advanced.

10.1

| Linux| Download the update from Fix Central.

Workarounds and Mitigations

None