A fix is available
APAR status
Closed as program error.
Error description
To address the Black Duck CVE-2015-1270 vulnerability CVE reported by the customer we are upgrading the icu4j.jar to ICU 60 which is 60.3 level.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All customers using ctgclient.jar will be * * affected from CVE-2015-1270 vulneribility * **************************************************************** * PROBLEM DESCRIPTION: Customer reported the vulnerability * * CVE-2015-1270 with CICS TG jars. * * CICS TG jars includes the classes from * * icu4j.jar. The current version of * * icu4j.jar used in the project is level * * 55.1 of icu4j. * * The reported vulnerability is resolved * * in 56.1 . The last icu4j upgrade was * * done through Defect 18829 .Through this * * APAR , we are updating ICU level to 60. * * We will download the binaries from * * http://site.icu-project.org/download/ * * 60#TOC-ICU4J-Download . Download link * * points to https://github.com/unicod * * e-org/icu/releases/tag/release-60-3. * **************************************************************** The BlackDuck security vulnerability CVE-2015-1270 affects CICS TG jars. CICS TG jars includes the classes from icu4j.jar and hence vulnerable to this vulnerability.
Problem conclusion
The security vulnerability is addressed by updating the icu4j.jar included to the level 60.3 which addresses this vulnerability .
Temporary fix
Comments
×**** PE20/06/26 FIX IN ERROR. SEE APAR PH26804 FOR DESCRIPTION
APAR Information
APAR number
PH13934
Reported component name
CTG V9 FOR Z/OS
Reported component ID
5655Y2000
Reported release
920
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-06-27
Closed date
2019-11-21
Last modified date
2020-07-10
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
PH14054 UI66543 UI66544 UI66637
Modules/Macros
CTG00199 CTG00628
Fix information
Fixed component name
CTG V9 FOR Z/OS
Fixed component ID
5655Y2000
Applicable component levels
R900 PSY UI66637
UP19/11/27 P F911
R910 PSY UI66544
UP19/11/22 P F911
R920 PSY UI66543
UP19/11/22 P F911
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGMJ2","label":"CICS Transaction Gateway"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.2","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
Document Information
Modified date:
11 July 2020