Preface: Banking industry core applications large portion running on IBM zSystems. The operations including transactional and batch, maintain systems-of-record (SOR) data. Financial Institutions, government organizations, and others have been operating, maintaining, and updating their COBOL applications for many years. The reason behind is that COBOL remains valid while functioning or competing with other modern languages.

Background: IBM CICS® TX is a comprehensive, single package of a transactional runtime with a COBOL compiler enabled on Red Hat® OpenShift®. CICS TX is an effective and efficient way to move your distributed platform transactional applications into the cloud. IBM® CICS® TX Advanced (CICS TX) is a mixed-language application server that provides cloud deployment options for suitable CICS applications using docker and orchestration using Kubernetes.

Vulnerability details: IBM CICS TX performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

Cause: “Unrestricted Internet Access/Outbound Connections” affects IBM CICS TX Standard and IBM CICS TX Advanced. IBM CICS TX Standard and IBM CICS TX Advanced have addressed the applicable vulnerability.

Remedy: For network ingress to a CICS TX region, there are several ports to consider:

• Port 1435 for connecting to region’s listener
• Port 3270 for cicsteld
• Port 9087 for metrics collection
• Port 9443 for admin console
• Port 2379 for the controller (applies only to CICS TX Standard version)

Network egress is more complex. Examples of network egress which you might want to consider:

• Other CICS TS / CICS TX regions
• Connecting to CICS TX Standard Controller (applies only to CICS TX Standard version)

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-43018