Security Bulletin: CICS Transaction Gateway for Multiplatforms

Abstract

Multiple security vulnerablilities exist in the JREs shipped with CICS TG for client applications. CICS TG itself is not vulnerable to these risks but client side applications using the JREs might be. You will need to evaluate your own code to determine if you are vulnerable.

Content

CVEID: CVE-2014-0428 Description:
An unspecified vulnerability in Oracle Java SE related to the CORBA component could allow a remote attacker to execute arbitrary code on the system.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90325 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-0422

Description:
An unspecified vulnerability in Oracle Java SE related to the JNDI component could allow a remote attacker to execute arbitrary code on the system.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90326 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2013-5907

Description:
An unspecified vulnerability in Oracle Java SE related to the 2D component could allow a remote attacker to execute arbitrary code on the system.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90324 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-0415

Description:
An unspecified vulnerability in Oracle Java SE related to the Deployment component could allow a remote attacker to execute arbitrary code on the system.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90323 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2014-0410

Description:
An unspecified vulnerability in Oracle Java SE related to the Deployment component could allow a remote attacker to execute arbitrary code on the system.

CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90322 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

AFFECTED PRODUCTS AND VERSIONS:
CICS Transaction Gateway for Multiplatforms v9.0 and earlier.

REMEDIATION:
Upgrade the JRE being used by CICS TG Java client applications. Updated JREs for use with CICS TG Java client applications are made available on Fix Central:
<http://www-933.ibm.com/support/fixcentral/options?selection=Software%3Bibm%2FOther+software%3Bibm%2FWebSphere%2FCICS+Transaction+Gateway+for+Multiplatforms&gt;

Workaround(s):
None

Mitigation(s):
None

RELATED INFORMATION:

 Complete CVSS v2 Guide
 On-line Calculator v2

[{“Product”:{“code”:“SSGMJ2”,“label”:“CICS Transaction Gateway”},“Business Unit”:{“code”:“BU058”,“label”:“IBM Infrastructure w/TPS”},“Component”:“CTG”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”},{“code”:“PF035”,“label”:“z/OS”}],“Version”:“9.0;8.1;8.0;7.2”,“Edition”:“All”,“Line of Business”:{“code”:“LOB35”,“label”:“Mainframe SW”}}]