PH13934: TO ADDRESS THE BLACK DUCK CVE-2015-1270 VULNERABILITY IN JAR FILES.

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• To address the Black Duck CVE-2015-1270 vulnerability CVE
  reported by the customer we are upgrading the icu4j.jar to ICU
  60 which is 60.3 level.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All customers using ctgclient.jar will be    *
  *                  affected from CVE-2015-1270 vulneribility   *
  ****************************************************************
  * PROBLEM DESCRIPTION: Customer reported the vulnerability     *
  *                      CVE-2015-1270 with CICS TG jars.        *
  *                      CICS TG jars includes the classes from  *
  *                       icu4j.jar. The current version of      *
  *                      icu4j.jar used in the project is level  *
  *                      55.1 of icu4j.                          *
  *                      The reported vulnerability is resolved  *
  *                       in 56.1 . The last icu4j upgrade was   *
  *                      done through Defect 18829 .Through this *
  *                      APAR , we are updating ICU level to 60. *
  *                      We will download the binaries from      *
  *                       http://site.icu-project.org/download/  *
  *                       60#TOC-ICU4J-Download . Download link  *
  *                        points to https://github.com/unicod   *
  *                        e-org/icu/releases/tag/release-60-3.  *
  ****************************************************************
  The BlackDuck security vulnerability CVE-2015-1270 affects CICS
   TG jars. CICS TG jars includes the classes from icu4j.jar and
    hence vulnerable to this vulnerability.
  

Problem conclusion

• The security vulnerability is addressed by updating the
  icu4j.jar included to the level 60.3 which addresses this
  vulnerability .
  

Temporary fix

Comments

• ×**** PE20/06/26 FIX IN ERROR. SEE APAR PH26804  FOR DESCRIPTION
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  PH14054 UI66543 UI66544 UI66637

Modules/Macros

• CTG00199 CTG00628
  

Fix information

• Fixed component name

  CTG V9 FOR Z/OS

• Fixed component ID

  5655Y2000

Applicable component levels

• R900 PSY UI66637

     UP19/11/27 P F911

• R910 PSY UI66544

     UP19/11/22 P F911

• R920 PSY UI66543

     UP19/11/22 P F911

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.