Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMF46CADA935BAB7CB2109AA0785089017604AD7EAC5A1D830D4321BAF92856A7C
HistoryMay 02, 2019 - 2:50 p.m.

Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway

2019-05-0214:50:01
www.ibm.com
8

0.018 Low

EPSS

Percentile

88.4%

JSON

Summary

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Versions 7.0, 7.1 and 8.0 used by CICS Transaction Gateway. CICS Transaction Gateway has addressed the applicable CVEs.

Vulnerability Details

If you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether additional Java vulnerabilities are applicable to your code. For a complete list of vulnerabilities, refer to the “IBM Java SDK Security Bulletin”, located in the References section for more information.

CVEID: CVE-2018-12547 DESCRIPTION: Eclipse OpenJ9 is vulnerable to a buffer overflow, caused by improper bounds checking by the jio_snprintf() and jio_vsnprintf() functions. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 9.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/157512&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-12549 DESCRIPTION: Eclipse OpenJ9 could allow a remote attacker to execute arbitrary code on the system, caused by the failure to omit a null check on the receiver object of an Unsafe call when accelerating it. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/157513&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-1890 DESCRIPTION: IBM SDK, Java Technology Edition Version 8 on the AIX platform uses absolute RPATHs which may facilitate code injection and privilege elevation by local users.

CVSS Base Score: 5.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152081&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L)

Affected Products and Versions

CICS Transaction Gateway v8.0.0.0 – 8.0.0.6
CICS Transaction Gateway v8.1.0.0 – 8.1.0.5
CICS Transaction Gateway v9.0.0.0 – 9.0.0.4
CICS Transaction Gateway v9.1.0.0 – 9.1.0.3
CICS Transaction Gateway v9.2.0.0 – 9.2.0.2

Remediation/Fixes

Upgrade the JRE used by CICS TG Java client applications and/or the CICS TG Gateway daemon. Updated JREs which can used with CICS TG Java client applications and the Gateway daemon are made available on Fix Central.

Product

|

VRMF

|

APAR

|

Remediation / First Fix

—|—|—|—
CICS Transaction Gateway for Multiplatforms | 9.2.0.0
9.2.0.1
9.2.0.2 | Updated JRE’s have been made available on Fix Central as Fix packs.
AIX: 8.0.5-CICSTG-AIXpSeries32-JRE-SR31
HP-UX: 8.0.5-CICSTG-HPUXIA32-JRE-SR30
xLinux: 8.0.5-CICSTG-Linuxx8632-JRE-SR31
pLinux: 8.0.5-CICSTG-LinuxpSeries32-JRE-SR31
zLinux: 8.0.5-CICSTG-LinuxzSeries31-JRE-SR31
Windows:8.0.5-CICSTG-Windowsx8632-JRE-SR31 |
https://www-945.ibm.com/support/fixcentral/swg/identifyFixes?query.parent=ibm~Other%20software&query.product=ibm~WebSphere~CICS%20Transaction%20Gateway%20for%20Multiplatforms&query.release=9.2.0&query.platform=All
CICS Transaction Gateway for Multiplatforms | 9.1.0.0
9.1.0.1
9.1.0.2
9.1.0.3 | Updated JRE’s have been made available on Fix Central as Fix packs.
Solaris: 7.0.10-CICSTG-SolarisSPARC32-JRE-SR40
AIX: 7.1.4-CICSTG-AIXpSeries32-JRE-SR40
xLinux: 7.1.4-CICSTG-Linuxx8632-JRE-SR40
pLinux: 7.1.4-CICSTG-LinuxpSeries32-JRE-SR40
zLinux: 7.1.4-CICSTG-LinuxzSeries31-JRE-SR40
Windows: 7.1.4-CICSTG-Windowsx8632-JRE-SR40 |
https://www-945.ibm.com/support/fixcentral/swg/identifyFixes?query.parent=ibm~Other%20software&query.product=ibm~WebSphere~CICS%20Transaction%20Gateway%20for%20Multiplatforms&query.release=9.1.0&query.platform=All
CICS Transaction Gateway for Multiplatforms | 9.0.0.0
9.0.0.1
9.0.0.2
9.0.0.3
9.0.0.4
8.1.0.0
8.1.0.1
8.1.0.2
8.1.0.3
8.1.0.4
8.1.0.5
8.0.0.0
8.0.0.1
8.0.0.2
8.0.0.3
8.0.0.4
8.0.0.5
8.0.0.6 | Updated JRE’s have been made available on Fix Central as Fix packs.
Solaris: 7.0.10-CICSTG-SolarisSPARC32-JRE-SR40
AIX: 7.0.10-CICSTG-AIXpSeries32-JRE-SR40
xLinux: 7.0.10-CICSTG-Linuxx8632-JRE-SR40
pLinux: 7.0.10-CICSTG-LinuxpSeries32-JRE-SR40
zLinux: 7.0.10-CICSTG-LinuxzSeries31-JRE-SR40
Windows: 7.0.10-CICSTG-Windowsx8632-JRE-SR40 | https://www-945.ibm.com/support/fixcentral/swg/identifyFixes?query.parent=ibm~Other%20software&query.product=ibm~WebSphere~CICS%20Transaction%20Gateway%20for%20Multiplatforms&query.release=9.0.0&query.platform=All

Workarounds and Mitigations

None

Related

ibm 142
aix 1
redhat 6
nessus 9
veracode 2
nvd 3
osv 2
cvelist 3
prion 3
redhatcve 3
cve 3
attackerkb 1
openvas 2
ibm
ibm
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator
2019-05-02 21:10:01
Security Bulletin: Eclipse OpenJ9 jio_snprintf() and jio_vsnprintf() buffer overflow and
2021-07-08 21:30:52
Security Bulletin: Vulnerability in IBM Java Runtime affect DB2 Recovery Expert for Linux, Unix and Windows(IBM SDK, Java Technology Edition Quarterly CPU - Jan 2019 - Includes Oracle Jan 2019 CPU) )
2019-06-26 05:00:02
aix
aix
Multiple vulnerabilities in IBM Java SDK affect AIX
2019-04-16 10:52:12
redhat
redhat
(RHSA-2019:0472) Critical: java-1.8.0-ibm security update
2019-03-05 12:14:26
(RHSA-2019:0469) Critical: java-1.8.0-ibm security update
2019-03-06 21:43:02
(RHSA-2019:0640) Moderate: java-1.8.0-ibm security update
2019-03-25 18:21:21
nessus
nessus
RHEL 7 : java-1.8.0-ibm (RHSA-2019:0472)
2019-03-08 00:00:00
RHEL 6 : java-1.8.0-ibm (RHSA-2019:0469)
2019-03-07 00:00:00
RHEL 6 : java-1.8.0-ibm (RHSA-2019:0640)
2019-03-27 00:00:00
veracode
veracode
Missing Null Check
2019-05-16 03:57:00
Denial Of Service (DoS)
2019-05-16 03:57:00
nvd
nvd
CVE-2018-12549
2019-02-11 15:29:00
CVE-2018-12547
2019-02-11 15:29:00
CVE-2018-1890
2019-03-11 22:29:00
osv
osv
CVE-2018-12549
2019-02-11 15:29:00
CVE-2018-12547
2019-02-11 15:29:00
cvelist
cvelist
CVE-2018-12549
2019-02-11 15:00:00
CVE-2018-12547
2019-02-11 15:00:00
CVE-2018-1890
2019-03-01 00:00:00
prion
prion
Design/Logic Flaw
2019-02-11 15:29:00
Code injection
2019-02-11 15:29:00
Code injection
2019-03-11 22:29:00
redhatcve
redhatcve
CVE-2018-12549
2019-10-11 16:30:56
CVE-2018-12547
2020-01-03 15:30:50
CVE-2018-1890
2019-03-05 22:20:43
cve
cve
CVE-2018-12549
2019-02-11 15:29:00
CVE-2018-12547
2019-02-11 15:29:00
CVE-2018-1890
2019-03-11 22:29:00
attackerkb
attackerkb
CVE-2018-1890
2019-03-11 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2019:0617-1)
2021-04-19 00:00:00
SUSE: Security Advisory (SUSE-SU-2019:0585-1)
2021-06-09 00:00:00

0.018 Low

EPSS

Percentile

88.4%

JSON
Related for F46CADA935BAB7CB2109AA0785089017604AD7EAC5A1D830D4321BAF92856A7C
ibm142aix1redhat6nessus9veracode2nvd3osv2cvelist3prion3redhatcve3cve3attackerkb1openvas2