A fix is available
APAR status
Closed as new function.
Error description
New function KEYWORDS: HCHECKER/K
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * All users of the IBM Communications Server for z/OS Version * * 2 Release 1 and 2: MVRSHD, SMTPD, SNMP Agent * **************************************************************** * PROBLEM DESCRIPTION: * * New Function to provide support for three new z/OS Health * * Checker Application * * health checks, CSAPP_MVRSHD_RHOSTS_DATA, * * CSAPP_SMTPD_MAIL_RELAY, * * and CSAPP_SNMPAGENT_PUBLIC_COMMUNITY * **************************************************************** * RECOMMENDATION: * * Apply PTF * **************************************************************** New Function to introduce three z/OS Health Checker Application health checks to identify the following: - MVRSHD server is active and whether RSH clients are using RHOSTS.DATA datasets for authentication - SMTP server is configured as a mail relay - SNMP agent is configured with a community name of public
Problem conclusion
IBM suggests avoiding the use of MVRSHD servers. The MVRSHD server supports the RSH and REXEC protocols which transfer user ID and password information in the clear. There is also the potential of weak authentication for RSH clients using RHOSTS.DATA datasets. This authentication method allows remote command execution without requiring the RSH client to supply a password. IBM suggests that the INBOUNDOPENLIMIT configuration statement be set to 0 for SMTP servers. Specifying the INBOUNDOPENLIMIT statement to a valid non-zero value causes the SMTP server to open a listening port and implicitly become exploitable by remote users as a mail relay. IBM suggests not configuring a community name of public, nor permitting the SNMP agent to use the default community name of public. Because the SNMP community name of public is a well-known name, it should not be used with community-based security due to security considerations.
Temporary fix
Comments
APAR Information
APAR number
OA50122
Reported component name
VTAM V4 MVS/ESA
Reported component ID
569511701
Reported release
210
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / New Function / Xsystem
Submitted date
2016-03-14
Closed date
2016-04-13
Last modified date
2017-01-25
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UA81331 UA81332
Modules/Macros
ISTHCAC1 ISTHCMSG ISTHCCRD ISTHCCK2 ISTHCDAT ISTHCIUT
Fix information
Fixed component name
VTAM V4 MVS/ESA
Fixed component ID
569511701
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"210","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"210","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
25 January 2017