Security Bulletin: CICS Transaction Gateway for Multiplatforms

Flash (Alert)


Abstract

Multiple security vulnerablilities exist in the JREs shipped with CICS TG for client applications. CICS TG itself is not vulnerable to these risks but client side applications using the JREs might be. You will need to evaluate your own code to determine if you are vulnerable.

Content

VULNERABILITY DETAILS:
CVEID: CVE-2013-2468
DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2442 and CVE-2013-2466.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85034 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X)

CVEID:CVE-2013-2469
DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "Incorrect image layout verification" in 2D.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85032 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X)

CVEID:CVE-2013-2465
DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "Incorrect image channel verification" in 2D.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85031 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X)

CVEID:CVE-2013-2464
DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2013-2463, CVE-2013-2465, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, and CVE-2013-2473.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85030 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X)


CVEID:CVE-2013-2463
DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "Incorrect image attribute verification" in 2D.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85029 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X)

CVEID:CVE-2013-2473
DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "Incorrect ByteBandedRaster size checks" in 2D.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85028 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X)

CVEID:CVE-2013-2472
DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "Incorrect ShortBandedRaster size checks" in 2D.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85027 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X)

CVEID:CVE-2013-2471
DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "Incorrect IntegerComponentRaster size checks."

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85026 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X)

CVEID:CVE-2013-2470
DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "ImagingLib byte lookup processing."

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85025 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X)

CVEID:CVE-2013-2459
DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "integer overflow checks."

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85033 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X)

CVEID:CVE-2013-2466
DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2013-2442 and CVE-2013-2468.
CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85035 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X)

CVEID:CVE-2013-2462
DESCRIPTION:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.

CVSS Base Score: 10
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85037 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:X/AC:X/Au:X/C:X/I:X/A:X)

AFFECTED PRODUCTS AND VERSIONS:
CICS Transaction Gateway for Multiplatforms v9.0 and earlier


REMEDIATION:
Updated client side JRE's have been made available on Fix Central. Upgrade the JRE being used by CICS TG Java client applications. Updated JREs for use with CICS TG Java client applications are made available on Fix Central:
http://www-933.ibm.com/support/fixcentral/options?selection=Software%3bibm%2fOther+software%3bibm%2fWebSphere%2fCICS+Transaction+Gateway+for+Multiplatforms

Workaround(s):
None

Mitigation(s):
None

RELATED INFORMATION:

Complete CVSS Guide
On-line Calculator V2

Rate this page:

(0 users)Average rating

Document information


More support for:

CICS Transaction Gateway
CTG

Software version:

7.1, 7.2, 8.0, 8.1, 9.0

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Software edition:

All

Reference #:

1653090

Modified date:

2013-10-15

Translate my page

Machine Translation

Content navigation