Security Bulletin: Multiple Vulnerabilities (CVE-2023-24998, CVE-2023-1436) affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition.

Summary

Multiple Vulnerabilities (CVE-2023-24998, CVE-2023-1436) affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. This fix resolves these vulnerabilities.

Vulnerability Details

CVEID:CVE-2023-24998
**DESCRIPTION:**Apache Commons FileUpload and Tomcat are vulnerable to a denial of service, caused by not limit the number of request parts to be processed in the file upload function. By sending a specially-crafted request with series of uploads, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247895 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-1436
**DESCRIPTION:**Jettison is vulnerable to a denial of service, caused by an infinite recursion when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250490 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Products	Versions

CICS Transaction Gateway for Multiplatforms

CICS Transaction Gateway Desktop Edition

| 9.0

CICS Transaction Gateway for Multiplatforms

CICS Transaction Gateway Desktop Edition

| 9.1

CICS Transaction Gateway for Multiplatforms

CICS Transaction Gateway Desktop Edition

| 9.2

CICS Transaction Gateway for Multiplatforms

CICS Transaction Gateway Desktop Edition

| 9.3

Remediation/Fixes

IBM recommends that you apply these fixes:

Product

| VRMF|APAR|Remediation/First Fix
—|—|—|—

CICS Transaction Gateway for Multiplatforms

CICS Transaction Gateway Desktop Edition

| 9.0|

|

PSIRT fixes for CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition 9.0 will be provided only for extended support customers with request through Salesforce case.

CICS Transaction Gateway for Multiplatforms

CICS Transaction Gateway Desktop Edition

| 9.1.0.3|

PH54133

PH54134

|

AIX: Fix Central Link

Linux on POWER Big Endian: Fix Central Link

Linux on Intel: Fix Central Link

Linux on IBM Z: Fix Central Link

Windows: Fix Central Link

Solaris: Fix Central Link

HP-UX: Fix Central Link

CICS Transaction Gateway for Multiplatforms

CICS Transaction Gateway Desktop Edition

|

9.2.0.2

|

PH54133

PH54134

|

AIX: Fix Central Link

Linux on POWER Big Endian: Fix Central Link

Linux on Intel: Fix Central Link

Linux on IBM Z: Fix Central Link

Windows: Fix Central Link

Solaris: Fix Central Link

HP-UX: Fix Central Link

CICS Transaction Gateway for Multiplatforms

CICS Transaction Gateway Desktop Edition

|

9.3.0.0

|

PH54133

PH54134

|

AIX: Fix Central Link

Linux on POWER Little Endian: Fix Central Link

Linux on POWER Big Endian: Fix Central Link

Linux on Intel: Fix Central Link

Linux on IBM Z: Fix Central Link

Windows: Fix Central Link

Linux on IBM Z container: Fix Central Link

Linux on Intel container: Fix Central Link

Workarounds and Mitigations

None