Topic
  • 4 replies
  • Latest Post - ‏2013-03-08T06:42:02Z by SystemAdmin
SystemAdmin
SystemAdmin
47 Posts

Pinned topic TADz receives error when Vulnerability scans run - Need Help/Advice

‏2013-02-22T15:31:21Z |
Opened an IBM services request -but they told me to come here (the PMR is 335599,442,000). We ran Security Vulnerability scans on our mainframe & we are getting errors on the port that TADz online monitor uses. There error we are getting is: "Web Server/Web Application Vulnerable to Cross-Site Scripting Attacks port 9000"

We currently use V7.5 on ZOS 112. We are using internal security & are under the understanding that the message is happening because of the internal security. A couple of questions:
1) Is the understanding correct? Using internal security is the reason for this vulnerability?
2) Will the new version of TADz just released (V8.1) correct this?
3) Is there an alternative way to correct this issue besides using external security (RACF,etc)? If we have to convert to external security that is a large project for us.

Thanks
Updated on 2013-03-08T06:42:02Z at 2013-03-08T06:42:02Z by SystemAdmin
  • PatCole
    PatCole
    31 Posts

    Re: TADz receives error when Vulnerability scans run - Need Help/Advice

    ‏2013-02-26T21:01:22Z  
    I am not familiar with the terms INTERNAL and EXTERNAL. The product options are BASIC and SYSTEM. Are you using BASIC? I am not aware of this problem at our site. We use RACF security.
  • SystemAdmin
    SystemAdmin
    47 Posts

    Re: TADz receives error when Vulnerability scans run - Need Help/Advice

    ‏2013-03-04T21:31:31Z  
    Hi,

    Firstly I would recommend that you use RACF or ACF2 as your security system. The internal BASIC security is only meant to be used to get up and running with using Analyzer. These scanning tools will always assume the worst which is good but we have systems in place that will stop attacks against the Analyzer from external ports. We will shut these external ports down from accessing Analyzer. So I would change to RACF or ACF2 ASAP as these security systems are the best around.

    Jim Kyriakakis
  • SystemAdmin
    SystemAdmin
    47 Posts

    Re: TADz receives error when Vulnerability scans run - Need Help/Advice

    ‏2013-03-05T12:49:58Z  
    Hi,

    Firstly I would recommend that you use RACF or ACF2 as your security system. The internal BASIC security is only meant to be used to get up and running with using Analyzer. These scanning tools will always assume the worst which is good but we have systems in place that will stop attacks against the Analyzer from external ports. We will shut these external ports down from accessing Analyzer. So I would change to RACF or ACF2 ASAP as these security systems are the best around.

    Jim Kyriakakis
    Appreciate your response. But, we are not in apposition at this time to switch to RACF (what we use here). There are a few things up in the air , one being that we may start using TAMIT as the "view" to get in.. So until that & some other issues are determined we are holding off.. I was hoping there was a 'switch' somewhere in Tadz that needed to be turned on/off..

    Since there are not any responses besides your suggestion, I am assuming there is nothing that can be done.. If "basic" security isn't adequate than that should be stated in doc.

    Thanks
    To the other question above - as mentioned here - we are using BASIC security.
    Basic - Internal Security being used now (ids and passwords in dataset)
    System - External security (not implemented, RACF)
    Tadz is only used by one dept here & a couple managers.
  • SystemAdmin
    SystemAdmin
    47 Posts

    Re: TADz receives error when Vulnerability scans run - Need Help/Advice

    ‏2013-03-08T06:42:02Z  
    Appreciate your response. But, we are not in apposition at this time to switch to RACF (what we use here). There are a few things up in the air , one being that we may start using TAMIT as the "view" to get in.. So until that & some other issues are determined we are holding off.. I was hoping there was a 'switch' somewhere in Tadz that needed to be turned on/off..

    Since there are not any responses besides your suggestion, I am assuming there is nothing that can be done.. If "basic" security isn't adequate than that should be stated in doc.

    Thanks
    To the other question above - as mentioned here - we are using BASIC security.
    Basic - Internal Security being used now (ids and passwords in dataset)
    System - External security (not implemented, RACF)
    Tadz is only used by one dept here & a couple managers.
    I would interpret the situation as being that the third party port scanner deemed there to be a vulnerability because RACF or ACF2 are not involved, mainly due to the assumption these days that you need a fully-fledged security package actively securing these network access gateways.

    This "accepted wisdom" does not mean that there actually is an exposure that can be exploited, but that the checking software has been coded to issue the message quoted until the security package tick-in-the-box is present.

    If you run software to check that you have crossed all the 't's and dotted all the 'i's then don't be surprised when it issues messages when you have not done so. And of course we expect the message text to highlight the worst-case scenario that can flow from the exposure (which may or may not exist) so no-one can claim that they were not warned.

    That's how I'd take it, anyway.

    Happy software configuring!
    Greg