IBM CICS TX Standard is vulnerable to allowing attackers access to an application via insecure session cookies

Vulnerability

IBM CICS TX Advanced and Standard version 11.1 do not set the Secure attribute on authorization tokens or session cookies [1][2]. Because the Secure flag is absent, cookies are transmitted over unencrypted HTTP connections as well as HTTPS, violating the expected security boundary. The affected products are IBM CICS TX Advanced 11.1 and IBM CICS TX Standard (all versions) [1][2].

Exploitation

An attacker must first induce a user who has an active authenticated session with an affected CICS TX application to click on a crafted http:// link or visit an insecure page controlled by the attacker [1][2]. When the user's browser follows the insecure link, it sends any cookies for the vulnerable application in cleartext over the HTTP connection. The attacker can then capture the traffic (e.g., by network snooping) and recover the session cookie [1][2]. No prior authentication or elevated network position is required beyond the ability to intercept or listen to the transmitted data.

Impact

Successful exploitation results in the disclosure of the victim's session cookie or authorization token [1][2]. An attacker who obtains a valid cookie can impersonate the victim and gain access to the affected CICS TX application with the victim's privileges. The impact is limited to confidentiality of session identifiers; integrity and availability are not directly compromised unless the gained access is further abused.

Mitigation

IBM has released interim fixes for both affected product lines. For IBM CICS TX Advanced 11.1, apply the fix referenced by defect 127903; for IBM CICS TX Standard 11.1, apply the fix referenced by defect 127642 [1][2]. No workarounds are available [1][2]. The fixes ensure that the Secure attribute is correctly set on session cookies.