There are multiple vulnerabilities in IBM® Runtime Environment Java™ Versions 7.0, 7.1 and 8.0 used by CICS Transaction Gateway. CICS Transaction Gateway has addressed the applicable CVEs.
CVEID:CVE-2020-14583
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 8.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185061 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
CVEID:CVE-2020-14593
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the 2D component could allow an unauthenticated attacker to cause no confidentiality impact, high integrity impact, and no availability impact.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185071 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)
CVEID:CVE-2020-14556
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185034 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID:CVE-2020-14579
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185057 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2020-14578
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185056 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2020-14577
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185055 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2019-17639
**DESCRIPTION:**Eclipse OpenJ9 could allow a remote attacker to obtain sensitive information, caused by the premature return of the current method with an undefined return value. By invoking the System.arraycopy method with a length longer than the length of the source or destination array can, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185437 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM CICS Transaction Gateway | 9.1.0.0 - 9.1.0.3 |
IBM CICS Transaction Gateway | 9.2.0.0 - 9.2.0.2 |
IBM CICS Transaction Gateway | 9.0.0.0 - 9.0.0.5 |
IBM CICS Transaction Gateway | 8.1.0.0 - 8.1.0.5 |
IBM CICS Transaction Gateway | 8.0.0.0 - 8.0.0.6 |
Upgrade the JRE used by CICS TG Java client applications and/or the CICS TG Gateway daemon. Updated JREs which can used with CICS TG Java client applications and the Gateway daemon are made available on Fix Central.
Product | VRMF | APAR | Remediation / First Fix |
---|---|---|---|
CICS Transaction Gateway for Multiplatforms | 9.2.0.0 | ||
9.2.0.1 | |||
9.2.0.2 |
Updated JRE’s have been made available on Fix Central as Fix packs.
AIX: 8.0.6-CICSTG-AIXpSeries32-JRE-SR15
xLinux: 8.0.6-CICSTG-Linuxx8632-JRE-SR15
pLinux: 8.0.6-CICSTG-LinuxpSeries32-JRE-SR15
zLinux: 8.0.6-CICSTG-LinuxzSeries31-JRE-SR15
Windows:8.0.6-CICSTG-Windowsx8632-JRE-SR15
Solaris: 7.0.10-CICSTG-SolarisSPARC32-JRE-SR70
| https://www-945.ibm.com/support/fixcentral/swg/identifyFixes?query.parent=ibm~Other%20software&query.product=ibm~WebSphere~CICS%20Transaction%20Gateway%20for%20Multiplatforms&query.release=9.2.0&query.platform=All
CICS Transaction Gateway for Multiplatforms| 9.1.0.0
9.1.0.1
9.1.0.2
9.1.0.3|
Updated JRE’s have been made available on Fix Central as Fix packs.
AIX: 7.1.4-CICSTG-AIXpSeries32-JRE-SR70
xLinux: 7.1.4-CICSTG-Linuxx8632-JRE-SR70
pLinux: 7.1.4-CICSTG-LinuxpSeries32-JRE-SR70
zLinux: 7.1.4-CICSTG-LinuxzSeries31-JRE-SR70
Windows: 7.1.4-CICSTG-Windowsx8632-JRE-SR70
Solaris: 7.0.10-CICSTG-SolarisSPARC32-JRE-SR70
| https://www-945.ibm.com/support/fixcentral/swg/identifyFixes?query.parent=ibm~Other%20software&query.product=ibm~WebSphere~CICS%20Transaction%20Gateway%20for%20Multiplatforms&query.release=9.1.0&query.platform=All
CICS Transaction Gateway for Multiplatforms|
9.0.0.0
9.0.0.1
9.0.0.2
9.0.0.3
9.0.0.4
9.0.0.5
8.1.0.0
8.1.0.1
8.1.0.2
8.1.0.3
8.1.0.4
8.1.0.5
8.0.0.0
8.0.0.1
8.0.0.2
8.0.0.3
8.0.0.4
8.0.0.5
8.0.0.6
| Updated JRE’s have been made available on Fix Central as Fix packs.
Solaris: 7.0.10-CICSTG-SolarisSPARC32-JRE-SR70
AIX: 7.0.10-CICSTG-AIXpSeries32-JRE-SR70
xLinux: 7.0.10-CICSTG-Linuxx8632-JRE-SR70
pLinux: 7.0.10-CICSTG-LinuxpSeries32-JRE-SR70
zLinux: 7.0.10-CICSTG-LinuxzSeries31-JRE-SR70
Windows: 7.0.10-CICSTG-Windowsx8632-JRE-SR70| https://www-945.ibm.com/support/fixcentral/swg/identifyFixes?query.parent=ibm~Other%20software&query.product=ibm~WebSphere~CICS%20Transaction%20Gateway%20for%20Multiplatforms&query.release=9.0.0&query.platform=All
None