This issue is due to the way that certain data types, such as certain strings, are handled when they are loaded into CICS vectors. An attacker can leverage this issue to cause CICS to crash. This issue can be exploited by sourcing specially crafted SQL statements from which SQL statements can be executed in the database. An attacker can leverage the fact that certain data types have different execution times to insert data into the database at a time when the database is not expecting data. This can lead to a denial of service. This issue was patched in CICS TX 11.1.0. Vulnerable releases could be patched by upgrading to CICS TX 11.1.0 or later releases. An upgrade is required.
CICS TX 11.1.0
CICS TX 11.1.0 is vulnerable to a denial of service (DoS) condition when a specially crafted SQL statement is sourced from an attacker. The issue occurs in certain data types, such as certain strings, when they are loaded into CICS vectors. An attacker can leverage this issue to cause CICS to crash and execute unauthorized SQL statements in the database. This issue can be exploited by sourcing specially crafted SQL statements from which SQL statements can be executed in the database. An attacker can leverage the fact that certain data types have different execution times to insert data into the database at a time when the database is not expecting data. This can lead to a denial of service. This issue was patched in CICS TX 11.1.0 and later releases.
References
CVE-2022-34308: https://ics-db.trusty.com/advisories/ICSDB-A-2006021016
CICS TX 11.1.0: https://ics-db.trusty.com/advisories/ICSDB-A-2006120717
Timeline
Published on: 10/07/2022 17:15:00 UTC
Last modified on: 10/08/2022 13:18:00 UTC