IBME44699F9DCA2F252FEE7316C8CF21A7A9E7AAEE5B1920F7B438E8E1CE03BEB95Security Bulletin: Multiple vulnerabilities may affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
65.8%
Summary
IBM® Runtime Environment Java™ is used by CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. The fix updates the Java Runtime Environment to resolve the following vulnerabilities.
Vulnerability Details
CVEID:CVE-2022-40609
**DESCRIPTION:**IBM SDK, Java Technology Edition 7.1.5.18 and 8.0.8.0 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 236069.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236069 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM CICS Transaction Gateway | 9.0 |
| IBM CICS Transaction Gateway | 9.1 |
| IBM CICS Transaction Gateway | 9.2 |
| IBM CICS Transaction Gateway | 9.3 |
Remediation/Fixes
IBM recommends that you apply these fixes:
Product
| VRMF|Remediation/First Fix
—|—|—
CICS Transaction Gateway for Multiplatforms
CICS Transaction Gateway Desktop Edition
| 9.0|
PSIRT fixes for CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition 9.0 will be provided only for extended support customers with request through Salesforce case.
CICS Transaction Gateway for Multiplatforms
CICS Transaction Gateway Desktop Edition
| 9.1|
AIX: [Fix Central Link](<https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FCICS+Transaction+Gateway+for+Multiplatforms&fixids=8.0.8-CICSTG-AIXpSeries32-JRE-SR5&source=SAR > “Fix Central Link” )
Linux on POWER Big Endian: Fix Central Link
Linux on Intel: Fix Central Link
Linux on IBM Z: Fix Central Link
Windows: Fix Central Link
CICS Transaction Gateway for Multiplatforms
CICS Transaction Gateway Desktop Edition
|
9.2
|
AIX: Fix Central Link
Linux on POWER Big Endian: Fix Central Link
Linux on Intel: Fix Central Link
Linux on IBM Z: Fix Central Link
Windows: Fix Central Link
CICS Transaction Gateway for Multiplatforms
CICS Transaction Gateway Desktop Edition
|
9.3
|
Linux on POWER Big Endian: Fix Central Link
Windows: Fix Central Link
Workarounds and Mitigations
None
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| cics transaction gateway | eq | 9.0 | |
| cics transaction gateway | eq | 9.1 | |
| cics transaction gateway | eq | 9.2 | |
| cics transaction gateway | eq | 9.3 |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
65.8%