SB2023031018 - Multiple vulnerabilities in IBM CICS TX Advanced

Description

This security bulletin contains information about 8 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2022-21698)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within method label cardinality. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

2) Uncontrolled Recursion (CVE-ID: CVE-2021-31525)

The vulnerability allows a remote attacker to perform a DoS attack.

The vulnerability exists due to uncontrolled recursion when processing HTTP headers. A remote attacker can send a large header to ReadRequest or ReadResponse and perform a denial of service (DoS) attack.

3) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2020-8564)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores sensitive information into log files. In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials. A local user can read the log files and gain access to sensitive data.

4) Use of insufficiently random values (CVE-ID: CVE-2019-11840)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. A remote unauthenticated attacker can trigger the vulnerability and gain access to sensitive information.

5) Uncontrolled Memory Allocation (CVE-ID: CVE-2020-8552)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in the Kubernetes API server component due to improper allocation of memory. A remote attacker can send a specially crafted API request and cause a denial of service condition on the target system.

6) Out-of-bounds read (CVE-ID: CVE-2021-38561)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition. A remote attacker can pass specially crafted input to the application, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.

7) Infinite loop (CVE-ID: CVE-2020-14040)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

8) Improper Certificate Validation (CVE-ID: CVE-2020-7919)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/6833268