SB2022112104 - IBM CICS TX update for golang

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) NULL pointer dereference (CVE-ID: CVE-2020-29652)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when processing an authentication request message for the “gssapi-with-mic” method. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

2) Improper Authentication (CVE-ID: CVE-2017-14623)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in processing authentication requests. A remote attacker can bypass authentication process and login with an empty password under certain conditions.

3) Input validation error (CVE-ID: CVE-2021-43565)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when parsing a Signer to ServerConfig.AddHostKey in cases where the Signer passed to AddHostKey does not implement AlgorithmSigner or the Signer passed to AddHostKey returns a key of type “ssh-rsa” from its PublicKey method. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

4) Man-in-the-Middle (MitM) attack (CVE-ID: CVE-2017-3204)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to Go Crypto library does not verify host keys. A remote attacker can perform MitM attack.

5) Improper Preservation of Permissions (CVE-ID: CVE-2020-15113)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software improperly sets permissions to certain directory paths in case they were previously created (etcd data directory and the directory path when provided to automatically generate self-signed certificates for TLS connections with clients). A local user can gain unauthorized access to sensitive information on the system.

6) Reachable Assertion (CVE-ID: CVE-2020-9283)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion during signature verification process. A remote attacker can supply a specially crafted certificate to the application (server or client) and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/6833250"
• https://www.ibm.com/support/pages/node/6833250</a></p><p>
• https://www.ibm.com/support/pages/node/6833248</p><p><br></p>