IBM 31-bit SDK for z/OS and IBM 64-bit SDK for z/OS Multiple Vulnerabilities

SA48854

CVE-2011-3563, CVE-2011-5035, CVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507

16 Apr 2012

Highly Critical

Vendor Patch

IBM 31-bit SDK for z/OS 6.x
IBM 64-bit SDK for z/OS 6.x

From remote

DoS (Denial of Service)

This includes vulnerabilities ranging from excessive resource consumption (e.g. causing a system to use a lot of memory) to crashing an application or an entire system.

System access

This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.

Exposure of sensitive information

Vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote.

Manipulation of data

This includes vulnerabilities where a user or a remote attacker can manipulate local data on a system, but not necessarily be able to gain escalated privileges or system access.

The most frequent type of vulnerabilities with this impact are SQL-injection vulnerabilities, where a malicious user or person can manipulate SQL queries.

IBM has acknowledged multiple vulnerabilities in IBM 31-bit SDK for z/OS and IBM 64-bit SDK for z/OS, which can be exploited by malicious people to disclose sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system.

For more information:
SA48009

Apply APAR.

IBM 31-bit SDK for z/OS:
Apply APAR PM59971.

IBM 64-bit SDK for z/OS:
Apply APAR PM59978.

IBM (PM59971, PM59978):
http://www.ibm.com/support/docview.wss?uid=swg1PM59971
http://www.ibm.com/support/docview.wss?uid=swg1PM59978