Security Bulletin: CICS Transaction Gateway for Multiplatforms

Summary

Multiple security vulnerablilities exist in the JREs shipped with CICS TG for client applications. CICS TG itself is not vulnerable to all these risks but client side applications using the CICS TG supplied JREs might be.

Vulnerability Details

CVEID:CVE-2015-0491
DESCRIPTION: Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40, and Java FX 2.2.76, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2015-0459.
CVSS Base Score: 10
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102329&gt; for the current score
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-0459 **DESCRIPTION: **Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40, and JavaFX 2.2.76, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2015-0491.
CVSS Base Score: 10
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102328&gt; for the current score
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID:****CVE-2015-0469
**DESCRIPTION:**Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
CVSS Base Score: 10
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102327&gt; for the current score
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-0460 **DESCRIPTION: **Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
CVSS Base Score: 9.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102330&gt; for the current score
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID:CVE-2015-0458
**DESCRIPTION:**Unspecified vulnerability in in Oracle Java SE 6u91, 7u76, and 8u40 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.
CVSS Base Score: 7.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102332&gt; for the current score
CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C)

CVEID:CVE-2015-0480
**DESCRIPTION:**Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity and availability via unknown vectors related to Tools.
CVSS Base Score: 5.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102334&gt; for the current score
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:P)

CVEID:****CVE-2015-0488
**DESCRIPTION:**Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40, and JRockit R28.3.5, allows remote attackers to affect availability via vectors related to JSSE.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102336&gt; for the current score
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2015-0486 **DESCRIPTION: **Unspecified vulnerability in Oracle Java SE 8u40 allows remote attackers to affect confidentiality via unknown vectors related to Deployment.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102335&gt; for the current score
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-0478 **DESCRIPTION: **Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40, and JRockit R28.3.5, allows remote attackers to affect confidentiality via vectors related to JCE.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102339&gt; for the current score
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID:****CVE-2015-0477
**DESCRIPTION:**Unspecified vulnerability in Oracle Java SE 5.0u81, 6u91, 7u76, and 8u40 allows remote attackers to affect integrity via unknown vectors related to Beans.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102337&gt; for the current score
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-0470 **DESCRIPTION: **Unspecified vulnerability in Oracle Java SE 8u40 allows remote attackers to affect integrity via unknown vectors related to Hotspot.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102338&gt; for the current score
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-0204 **DESCRIPTION: **The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the “FREAK” issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/99707&gt; for the current score
CVSS Vector: (AV:N/AC:M/Au:N/C:M/I:P/A:N)

CVEID: CVE-2015-0192 DESCRIPTION: A vulnerability in the IBM implementation of the Java Virtual Machine may, under limited circumstances, allow untrusted code running under a security manager to elevate its privileges.
CVSS Base Score: 6.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101008&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVEID: CVE-2015-2808 **DESCRIPTION: **The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the “Bar Mitzvah” issue.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101851&gt; for the current score
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-1916 **DESCRIPTION: **Server applications which use the IBM Java Secure Socket Extension provider to accept SSL/TLS connections are vulnerable to a denial of service attack due to an unspecified vulnerability.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101995&gt; for the current score
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID**:** CVE-2015-1914
DESCRIPTION: A vulnerability in the IBM implementation of the Java Virtual Machine may allow untrusted code running under a security manager to bypass permission checks and view sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101908&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

CICS Transaction Gateway for Multiplatforms v7.2, v8.0, v8.1, v9.0 and v9.1. Inclusion in this list does not imply that all the products are supported. See the IBM Support Lifecycle page for product end of support dates.

Remediation/Fixes

Updated JRE’s have been made available on Fix Central. Upgrade the JRE used by CICS TG Java client applications and/or the CICS TG Gateway daemon. Updated JREs which can used with CICS TG Java client applications and the Gateway daemon are made available on Fix Central:_
_http://www-933.ibm.com/support/fixcentral/options?selection=Software%3bibm%2fOther+software%3bibm%2fWebSphere%2fCICS+Transaction+Gateway+for+Multiplatforms