## Summary

The Apache Kafka and cryptography packages are used by the z/TPF system in runtime metrics collection and the z/TPF real-time insights dashboard starter kit. The z/TPF system was updated to address the vulnerabilities in these packages described by CVE-2023-25194 and CVE-2023-23931.

## Vulnerability Details

** CVEID: **[CVE-2023-25194]()
** DESCRIPTION: **Apache Kafka could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization when configuring the connector via the Kafka Connect REST API. By sending specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/246698]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

** CVEID: **[CVE-2023-23931]()
** DESCRIPTION: **PyPI cryptography package could allow a remote attacker to bypass security restrictions, caused by a memory corruption in Cipher.update_into. By passing an immutable python object as the outbuf, an attacker could exploit this vulnerability to bypass authentication and obtain access.
CVSS Base score: 4.8
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/246738]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)

## Affected Products and Versions

Affected Product(s)| Version(s)
—|—
z/Transaction Processing Facility| 1.1

## Remediation/Fixes

Product| VRMF| APAR| Remediation/First Fix
—|—|—|—
z/TPF| 1.1| PJ47008|

1. Apply the APAR, which is available for download from the [TPF Family Products: Maintenance]( “TPF Family Product: Maintenance” ) web page.
2. Update your copy of the real-time insights dashboard starter kit, which is available for download from the [z/TPF real-time insights dashboard starter kit]() web page.

## Workarounds and Mitigations

None

##Read More