Opened an IBM services request -but they told me to come here (the PMR is 335599,442,000). We ran Security Vulnerability scans on our mainframe & we are getting errors on the port that TADz online monitor uses. There error we are getting is: "Web Server/Web Application Vulnerable to Cross-Site Scripting Attacks port 9000"
We currently use V7.5 on ZOS 112. We are using internal security & are under the understanding that the message is happening because of the internal security. A couple of questions:
1) Is the understanding correct? Using internal security is the reason for this vulnerability?
2) Will the new version of TADz just released (V8.1) correct this?
3) Is there an alternative way to correct this issue besides using external security (RACF,etc)? If we have to convert to external security that is a large project for us.
Pinned topic TADz receives error when Vulnerability scans run - Need Help/Advice
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2013-03-08T06:42:02Z at 2013-03-08T06:42:02Z by SystemAdmin
PatCole 270000PGET31 Posts
Re: TADz receives error when Vulnerability scans run - Need Help/Advice2013-02-26T21:01:22ZThis is the accepted answer. This is the accepted answer.I am not familiar with the terms INTERNAL and EXTERNAL. The product options are BASIC and SYSTEM. Are you using BASIC? I am not aware of this problem at our site. We use RACF security.
Re: TADz receives error when Vulnerability scans run - Need Help/Advice2013-03-04T21:31:31ZThis is the accepted answer. This is the accepted answer.Hi,
Firstly I would recommend that you use RACF or ACF2 as your security system. The internal BASIC security is only meant to be used to get up and running with using Analyzer. These scanning tools will always assume the worst which is good but we have systems in place that will stop attacks against the Analyzer from external ports. We will shut these external ports down from accessing Analyzer. So I would change to RACF or ACF2 ASAP as these security systems are the best around.
Re: TADz receives error when Vulnerability scans run - Need Help/Advice2013-03-05T12:49:58ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin 110000D4XK
Since there are not any responses besides your suggestion, I am assuming there is nothing that can be done.. If "basic" security isn't adequate than that should be stated in doc.
To the other question above - as mentioned here - we are using BASIC security.
Basic - Internal Security being used now (ids and passwords in dataset)
System - External security (not implemented, RACF)
Tadz is only used by one dept here & a couple managers.
Re: TADz receives error when Vulnerability scans run - Need Help/Advice2013-03-08T06:42:02ZThis is the accepted answer. This is the accepted answer.
- SystemAdmin 110000D4XK
This "accepted wisdom" does not mean that there actually is an exposure that can be exploited, but that the checking software has been coded to issue the message quoted until the security package tick-in-the-box is present.
If you run software to check that you have crossed all the 't's and dotted all the 'i's then don't be surprised when it issues messages when you have not done so. And of course we expect the message text to highlight the worst-case scenario that can flow from the exposure (which may or may not exist) so no-one can claim that they were not warned.
That's how I'd take it, anyway.
Happy software configuring!