Lucene search

K
ibmIBMD54A60ED54EF5ECECC8D86C9B410172AFFD9D8297D602561EAF5D8E5BE834E25
HistorySep 25, 2022 - 10:39 p.m.

Security Bulletin: CICS Transaction Gateway for Multiplatforms

2022-09-2522:39:39
www.ibm.com
14
cics tg
java runtime environment
client applications
vulnerabilities

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

AI Score

7.8

Confidence

Low

EPSS

0.949

Percentile

99.3%

Abstract

Multiple security vulnerablilities exist in the JREs shipped with CICS TG for client applications. CICS TG itself is not vulnerable to these risks but client side applications using the JREs might be. You will need to evaluate your own code to determine if you are vulnerable.

Content

VULNERABILITY DETAILS:

**CVEID:**CVE-2013-2468 DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2442 and CVE-2013-2466.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85034 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X)

CVEID: CVE-2013-2469 DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to “Incorrect image layout verification” in 2D.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85032 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X)

CVEID: CVE-2013-2465 DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to “Incorrect image channel verification” in 2D.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85031 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X)

CVEID: CVE-2013-2464 DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2463, CVE-2013-2465, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, and CVE-2013-2473.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85030 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X)

**** **CVEID:**CVE-2013-2463 DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to “Incorrect image attribute verification” in 2D.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85029 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X)

CVEID: CVE-2013-2473 DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to “Incorrect ByteBandedRaster size checks” in 2D.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85028 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X)

CVEID: CVE-2013-2472 DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to “Incorrect ShortBandedRaster size checks” in 2D.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85027 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X)

CVEID: CVE-2013-2471 DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to “Incorrect IntegerComponentRaster size checks.”

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85026 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X)

CVEID: CVE-2013-2470 DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to “ImagingLib byte lookup processing.”

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85025 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X)

CVEID: CVE-2013-2459 DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to “integer overflow checks.”

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85033 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X)

CVEID: CVE-2013-2466 DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2442 and CVE-2013-2468.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85035 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X)

CVEID: CVE-2013-2462 DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85037 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X)

AFFECTED PRODUCTS AND VERSIONS:
CICS Transaction Gateway for Multiplatforms v9.0 and earlier

REMEDIATION:
Updated client side JRE’s have been made available on Fix Central. Upgrade the JRE being used by CICS TG Java client applications. Updated JREs for use with CICS TG Java client applications are made available on Fix Central:
http://www-933.ibm.com/support/fixcentral/options?selection=Software%3Bibm%2FOther+software%3Bibm%2FWebSphere%2FCICS+Transaction+Gateway+for+Multiplatforms

Workaround(s):
None

Mitigation(s):
None

RELATED INFORMATION:

ī‚ˇ Complete CVSS v2 Guide
ī‚ˇ On-line Calculator v2

[{“Product”:{“code”:“SSGMJ2”,“label”:“CICS Transaction Gateway”},“Business Unit”:{“code”:“BU058”,“label”:“IBM Infrastructure w/TPS”},“Component”:“CTG”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”}],“Version”:“9.0;8.1;8.0;7.2;7.1”,“Edition”:“All”,“Line of Business”:{“code”:“LOB35”,“label”:“Mainframe SW”}}]

Affected configurations

Vulners
Node
ibmcics_transaction_gatewayMatch9.0
OR
ibmcics_transaction_gatewayMatch8.1
OR
ibmcics_transaction_gatewayMatch8.0
OR
ibmcics_transaction_gatewayMatch7.2
OR
ibmcics_transaction_gatewayMatch7.1
VendorProductVersionCPE
ibmcics_transaction_gateway9.0cpe:2.3:a:ibm:cics_transaction_gateway:9.0:*:*:*:*:*:*:*
ibmcics_transaction_gateway8.1cpe:2.3:a:ibm:cics_transaction_gateway:8.1:*:*:*:*:*:*:*
ibmcics_transaction_gateway8.0cpe:2.3:a:ibm:cics_transaction_gateway:8.0:*:*:*:*:*:*:*
ibmcics_transaction_gateway7.2cpe:2.3:a:ibm:cics_transaction_gateway:7.2:*:*:*:*:*:*:*
ibmcics_transaction_gateway7.1cpe:2.3:a:ibm:cics_transaction_gateway:7.1:*:*:*:*:*:*:*

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

AI Score

7.8

Confidence

Low

EPSS

0.949

Percentile

99.3%