SB2023092808 - Multiple vulnerabilities in IBM CICS TX Standard

Security Bulletin ID SB2023092808

Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2021-39028)

The vulnerability allows a remote user to perform various attacks.

The vulnerability exists due to improper validation of input by the HOST headers. A remote user can conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.

2) Spoofing attack (CVE-ID: CVE-2021-39038)

The vulnerability allows a remote attacker to perform clickjacking attack.

The vulnerability exists due to incorrect processing of user-supplied data, when REST API discovery is configured through the WebSphere administrative console Web Container settings to enable the API Discovery service, or through IBM WebSphere Application Server Liberty features mpOpenAPI-1.0, mpOpenAPI-1.1, mpOpenAPI-2.0, apiDiscovery-1.0, openapi-3.0 or openapi-3.1. A remote attacker can perform clickjacking attack.

Remediation

Install update from vendor's website.

References

https://www.ibm.com/support/pages/node/6595099