Opened an IBM services request -but they told me to come here (the PMR is 335599,442,000). We ran Security Vulnerability scans on our mainframe & we are getting errors on the port that TADz online monitor uses. There error we are getting is: "Web Server/Web Application Vulnerable to Cross-Site Scripting Attacks port 9000"
We currently use V7.5 on ZOS 112. We are using internal security & are under the understanding that the message is happening because of the internal security. A couple of questions:
1) Is the understanding correct? Using internal security is the reason for this vulnerability?
2) Will the new version of TADz just released (V8.1) correct this?
3) Is there an alternative way to correct this issue besides using external security (RACF,etc)? If we have to convert to external security that is a large project for us.
NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
This topic has been locked.
4 replies Latest Post - 2013-03-08T06:42:02Z by SystemAdmin
Pinned topic TADz receives error when Vulnerability scans run - Need Help/Advice
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2013-03-08T06:42:02Z at 2013-03-08T06:42:02Z by SystemAdmin
PatCole 270000PGET31 PostsACCEPTED ANSWER
Re: TADz receives error when Vulnerability scans run - Need Help/Advice2013-02-26T21:01:22Z in response to SystemAdminI am not familiar with the terms INTERNAL and EXTERNAL. The product options are BASIC and SYSTEM. Are you using BASIC? I am not aware of this problem at our site. We use RACF security.
Re: TADz receives error when Vulnerability scans run - Need Help/Advice2013-03-04T21:31:31Z in response to SystemAdminHi,
Firstly I would recommend that you use RACF or ACF2 as your security system. The internal BASIC security is only meant to be used to get up and running with using Analyzer. These scanning tools will always assume the worst which is good but we have systems in place that will stop attacks against the Analyzer from external ports. We will shut these external ports down from accessing Analyzer. So I would change to RACF or ACF2 ASAP as these security systems are the best around.
Re: TADz receives error when Vulnerability scans run - Need Help/Advice2013-03-05T12:49:58Z in response to SystemAdminAppreciate your response. But, we are not in apposition at this time to switch to RACF (what we use here). There are a few things up in the air , one being that we may start using TAMIT as the "view" to get in.. So until that & some other issues are determined we are holding off.. I was hoping there was a 'switch' somewhere in Tadz that needed to be turned on/off..
Since there are not any responses besides your suggestion, I am assuming there is nothing that can be done.. If "basic" security isn't adequate than that should be stated in doc.
To the other question above - as mentioned here - we are using BASIC security.
Basic - Internal Security being used now (ids and passwords in dataset)
System - External security (not implemented, RACF)
Tadz is only used by one dept here & a couple managers.
Re: TADz receives error when Vulnerability scans run - Need Help/Advice2013-03-08T06:42:02Z in response to SystemAdminI would interpret the situation as being that the third party port scanner deemed there to be a vulnerability because RACF or ACF2 are not involved, mainly due to the assumption these days that you need a fully-fledged security package actively securing these network access gateways.
This "accepted wisdom" does not mean that there actually is an exposure that can be exploited, but that the checking software has been coded to issue the message quoted until the security package tick-in-the-box is present.
If you run software to check that you have crossed all the 't's and dotted all the 'i's then don't be surprised when it issues messages when you have not done so. And of course we expect the message text to highlight the worst-case scenario that can flow from the exposure (which may or may not exist) so no-one can claim that they were not warned.
That's how I'd take it, anyway.
Happy software configuring!