Security Bulletin: IBM Integration Bus for z/OS is vulnerable to NULL Pointer Dereference and Out-of-bounds Write due to IBM Java ( CVE-2025-1470 & CVE-2025-1471)

IBM Integration Bus for z/OS is vulnerable to NULL Pointer Dereference and Out-of-bounds Write due to IBM Java.

## Vulnerability Details

**CVEID:**CVE-2025-1470
**DESCRIPTION:** In Eclipse OMR, from the initial contribution to version 0.4.0, some OMR internal port library and utilities consumers of z/OS atoe functions do not check their return values for NULL memory pointers or for memory allocation failures. This can lead to NULL pointer dereference crashes. Beginning in version 0.5.0, internal OMR consumers of atoe functions handle NULL return values and memory allocation failures correctly.
**CWE:**CWE-476: NULL Pointer Dereference
**CVSS Source:** NVD
**CVSS Base score:** 5.5
**CVSS Vector:**(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2025-1471
**DESCRIPTION:** In Eclipse OMR versions 0.2.0 to 0.4.0, some of the z/OS atoe print functions use a constant length buffer for string conversion. If the input format string and arguments are larger than the buffer size then buffer overflow occurs. Beginning in version 0.5.0, the conversion buffers are sized correctly and checked appropriately to prevent buffer overflows.
**CWE:**CWE-787: Out-of-bounds Write
**CVSS Source:** NVD
**CVSS Base score:** 7.8
**CVSS Vector:**(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

## Affected Products and Versions

Affected Product(s)| Version(s)
—|—
IBM Integration Bus| 10.1.0.0 – 10.1.0.5

**Note:** It will affect z/OS only.

## Remediation/Fixes

**IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM Integration Bus fo r z/OS **

Affected Product(s)| Version(s)| APAR| Remediation / Fixes
—|—|—|—
IBM Integration Bus for z/OS| 10.1.0.0 – 10.1.0.5| PH66124| Interim Fix for APAR (PH66124) is available on z/OS only to apply to 10.1.0.5 from IBM Fix Central

## Workarounds and Mitigations

None

##