Lucene search

IBMDBCF3F042F38F5EF2CA3CDCE0E74E29B70F725BD7BC6D491C8AE5649E3579265

HistoryMar 28, 2024 - 4:04 p.m.

Security Bulletin: Multiple vulnerabilities in IBM Semeru Runtime affect z/Transaction Processing Facility

2024-03-2816:04:04

www.ibm.com

ibm semeru runtime

z/transaction processing facility

cve-2024-20918

cve-2024-20921

cve-2024-20926

cve-2024-22361

vulnerabilities

java se

scripting component

cryptographic algorithms

pj48008_ibm-semeru-certified-jre-11.0.22.0

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

37.3%

JSON

Summary

There are multiple vulnerabilities in IBM® Semeru Runtime Certified Edition 11 that is used by the z/TPF system. z/TPF has addressed the applicable CVEs.

Vulnerability Details

CVEID:CVE-2024-20918
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality impact and high integrity impact.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279718 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2024-20921
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality impact.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279734 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-20926
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Scripting component could allow a remote attacker to cause high confidentiality impact.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279716 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-22361
**DESCRIPTION:**IBM Semeru Runtime 8.0.302.0 through 8.0.392.0, 11.0.12.0 through 11.0.21.0, 17.0.1.0 - 17.0.9.0, and 21.0.1.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 281222.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/281222 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
z/Transaction Processing Facility	1.1

Remediation/Fixes

Product	VRMF	APAR	Remediation/First Fix
z/TPF	1.1	PJ48008

Apply the APAR, which is available for download from the TPF Family Products: Maintenance web page.
Download and install the PJ48008_ibm-semeru-certified-jre-11.0.22.0 package from the z/TPF support for IBM Semeru Runtimes and IBM Java SDK download page.

Workarounds and Mitigations

None.

Affected configurations

Vulners

Node

ibmz\/transaction_processing_facilityMatch1.1

CPENameOperatorVersion
z/transaction processing facility (tpf)eq1.1

CPE	Name	Operator	Version
	z/transaction processing facility (tpf)	eq	1.1

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

37.3%

JSON

Related for DBCF3F042F38F5EF2CA3CDCE0E74E29B70F725BD7BC6D491C8AE5649E3579265