There are multiple vulnerabilities in IBM® Runtime Environment Java™ Versions 7.0, 7.1 and 8.0 used by CICS Transaction Gateway. CICS Transaction Gateway has addressed the applicable CVEs.
CVEID:CVE-2020-14803
**DESCRIPTION:**An unspecified vulnerability in Java SE could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190121 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2020-27221
**DESCRIPTION:**Eclipse OpenJ9 is vulnerable to a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195353 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM CICS Transaction Gateway | 9.2.0.0-9.2.0.2 |
IBM CICS Transaction Gateway | 9.1.0.0-9.1.0.3 |
IBM CICS Transaction Gateway | 9.0.0.0-9.0.0.5 |
IBM CICS Transaction Gateway | 8.1.0.0-8.1.0.5 |
IBM CICS Transaction Gateway | 8.0.0.0-8.0.0.6 |
Upgrade the JRE used by CICS TG Java client applications and/or the CICS TG Gateway daemon. Updated JREs which can used with CICS TG Java client applications and the Gateway daemon are made available on Fix Central.
Product | VRMF | APAR | Remediation / First Fix |
---|---|---|---|
CICS Transaction Gateway for Multiplatforms | 9.2.0.0 | ||
9.2.0.1 | |||
9.2.0.2 |
Updated JRE’s have been made available on Fix Central as Fix packs.
AIX: 8.0.6-CICSTG-AIXpSeries32-JRE-SR25
xLinux: 8.0.6-CICSTG-Linuxx8632-JRE-SR25
pLinux: 8.0.6-CICSTG-LinuxpSeries32-JRE-SR25
zLinux: 8.0.6-CICSTG-LinuxzSeries31-JRE-SR25
Windows:8.0.6-CICSTG-Windowsx8632-JRE-SR25
| https://www-945.ibm.com/support/fixcentral/swg/identifyFixes?query.parent=ibm~Other%20software&query.product=ibm~WebSphere~CICS%20Transaction%20Gateway%20for%20Multiplatforms&query.release=9.2.0&query.platform=All
CICS Transaction Gateway for Multiplatforms| 9.1.0.0
9.1.0.1
9.1.0.2
9.1.0.3|
Updated JRE’s have been made available on Fix Central as Fix packs.
AIX: 7.1.4-CICSTG-AIXpSeries32-JRE-SR80
xLinux: 7.1.4-CICSTG-Linuxx8632-JRE-SR80
pLinux: 7.1.4-CICSTG-LinuxpSeries32-JRE-SR80
zLinux: 7.1.4-CICSTG-LinuxzSeries31-JRE-SR80
Windows: 7.1.4-CICSTG-Windowsx8632-JRE-SR80
| https://www-945.ibm.com/support/fixcentral/swg/identifyFixes?query.parent=ibm~Other%20software&query.product=ibm~WebSphere~CICS%20Transaction%20Gateway%20for%20Multiplatforms&query.release=9.1.0&query.platform=All
CICS Transaction Gateway for Multiplatforms|
9.0.0.0
9.0.0.1
9.0.0.2
9.0.0.3
9.0.0.4
9.0.0.5
8.1.0.0
8.1.0.1
8.1.0.2
8.1.0.3
8.1.0.4
8.1.0.5
8.0.0.0
8.0.0.1
8.0.0.2
8.0.0.3
8.0.0.4
8.0.0.5
8.0.0.6
| Updated JRE’s have been made available on Fix Central as Fix packs.
Solaris: 7.0.10-CICSTG-SolarisSPARC32-JRE-SR80
AIX: 7.0.10-CICSTG-AIXpSeries32-JRE-SR80
xLinux: 7.0.10-CICSTG-Linuxx8632-JRE-SR80
pLinux: 7.0.10-CICSTG-LinuxpSeries32-JRE-SR80
zLinux: 7.0.10-CICSTG-LinuxzSeries31-JRE-SR80
Windows: 7.0.10-CICSTG-Windowsx8632-JRE-SR80| https://www-945.ibm.com/support/fixcentral/swg/identifyFixes?query.parent=ibm~Other%20software&query.product=ibm~WebSphere~CICS%20Transaction%20Gateway%20for%20Multiplatforms&query.release=9.0.0&query.platform=All
None