-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.0168
      Security Bulletin: CICS Transaction Gateway for Multiplatforms
                              20 January 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM CICS Transaction Gateway
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Access Privileged Data          -- Remote/Unauthenticated
                   Modify Arbitrary Files          -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-5597 CVE-2016-5582 CVE-2016-5573
                   CVE-2016-5568 CVE-2016-5556 CVE-2016-5554
                   CVE-2016-5542  

Reference:         ASB-2016.0095
                   ESB-2017.0138

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg21993494

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin:  CICS Transaction Gateway for Multiplatforms

Security Bulletin

Document information

More support for:

CICS Transaction Gateway

CTG

Software version:

8.0, 8.1, 9.0, 9.1, 9.2

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Software edition:

All

Reference #:

1993494

Modified date:

19 January 2017

Summary

Multiple security vulnerabilities exist in the JREs shipped with CICS
Transaction Gateway (CICS TG) for client applications. CICS TG itself is not
vulnerable to all these risks but client side applications using the CICS TG
supplied JREs might be.

Vulnerability Details

CVEID:

CVE-2016-5582

DESCRIPTION:

An unspecified vulnerability in Oracle Java SE and Java SE Embedded related
to the Hotspot component has high confidentiality impact, high integrity
impact, and high availability impact.

CVSS Base Score: 9.6

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/118069

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID:

CVE-2016-5568

DESCRIPTION:

An unspecified vulnerability in Oracle Java SE related to the AWT component
has high confidentiality impact, high integrity impact, and high availability
impact.

CVSS Base Score: 9.6

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/118068

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID:

CVE-2016-5556

DESCRIPTION:

An unspecified vulnerability in Oracle Java SE related to the 2D component
has high confidentiality impact, high integrity impact, and high availability
impact.

CVSS Base Score: 9.6

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/118067

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID:

CVE-2016-5573

DESCRIPTION:

An unspecified vulnerability in Oracle Java SE and Java SE Embedded related
to the Hotspot component has high confidentiality impact, high integrity
impact, and high availability impact.

CVSS Base Score: 8.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/118070

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID:

CVE-2016-5597

DESCRIPTION:

An unspecified vulnerability in Oracle Java SE and Java SE Embedded related
to the Networking component could allow a remote attacker to obtain sensitive
information resulting in a high confidentiality impact using unknown attack
vectors.

CVSS Base Score: 5.9

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/118071

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:

CVE-2016-5554

DESCRIPTION:

An unspecified vulnerability in Oracle Java SE and Java SE Embedded related
to the JMX component has no confidentiality impact, low integrity impact, and
no availability impact.

CVSS Base Score: 4.3

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/118072

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

CVEID:

CVE-2016-5542

DESCRIPTION:

An unspecified vulnerability in Oracle Java SE and Java SE Embedded related
to the Libraries component has no confidentiality impact, low integrity
impact, and no availability impact.

CVSS Base Score: 3.1

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/118073

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)

Affected Products and Versions

CICS Transaction Gateway for Multiplatforms v8.0, v8.1, v9.0, v9.1 and v9.2.
Inclusion in this list does not imply that all the products are supported.
See the

IBM Support Lifecycle

page for product end of support dates

Remediation/Fixes

Updated JREs have been made available on Fix Central. Upgrade the JRE used by
CICS TG Java client applications and/or the CICS TG Gateway daemon. Updated
JREs which can used with CICS TG Java client applications and the Gateway
daemon are made available on Fix Central:

http://www.ibm.com/support/fixcentral/swg/identifyFixes?query.parent=ibm~Other
software&query.product=ibm~WebSphere~CICS Transaction Gateway for
Multiplatforms&query.release=All&query.platform=All

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v2 Guide


On-line Calculator v2



Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWIFdiYx+lLeg9Ub1AQgxng/9E6/RtvNFct6sS92NgzDNoTfjMtYQzAKP
yE/tG6qsTKjHfJd3nKnKMOVESz/QcCg+nAatj0fhhN5Aoc0NJYfUY5h3zgYUyRue
TwICP5q5NBu5LhAnYi0GwqDFcB6nNMv5MjMm/r1ZenjOadTBXqUhyVXQ1+YUP/xd
3cDHuzDn54PTXulkTZQcryG5qVTjlhBQWc70+0Ph+X+mu2oo/7Jz858kiDcCIe9w
cLg/fFvS2QprWUNQEMOZLr7IZziVINC3yrWp3fGCt3fgMKaDN8Yu5JYnool4bflT
SL5XwnmsHnSV8CyEpzyWwwowD6qugTxFL9gCb55ROmVrTIuhN66fs5QeTN0ToFtS
vEJMB0NCh+7SshzVtOEcMfUfCGS5gTmxpLIjniRC5OAXOpj/lCITv2XklkYz/cf6
leQ84WT415yQ9tdxAYXJ3J+WpCcl3aKy8R0SMRC7eNsW7VGQxbOtFWowvEqzHGoM
XAQvuTyLEdufsXOqOAdaxaqAuYgJM5cw7XyWUJ9AA/ktcR1CIbqVbCdpOszcUv9T
Mk1hcCILLCQUF1sH7Lun34yiV1LLHkjMVovM+AE1YsPFcDedW4Ve1WVi1yVLb5dB
Ay3gHEmjQa4DSOA2DpT0VT5Ditu/2g4F5EB6uNXaH7VTpLob8nWhuYA082RiZZr8
Cr+zd9kTOzk=
=lBwD
-----END PGP SIGNATURE-----