GETENTRY without the undocumented WITHPASS option masks the current passwords on the USER, IDENTITY, and MDISK statements, and removes the *PW00= record, but it leaves the old password records (*PW01=, *PW02=, etc) intact. It should scrub the password history statements unless WITHPASS is used.
Release: Component: VMX
VM:Secure PTF SO05000 corrects this problem/exposure. GETENTRY now correctly removes all password history records (*PWnn=) from the returned directory entry, whereas previously only the record(s) for the current password (*PW00=) were removed.
When/if REPENTRY is done for the GETENTRY item, any/all password history records are restored to the replaced entry from the original copy of the entry on the VM:Secure directory disk (1B0), so the existing password history (maintained by VM:Secure) remains intact for the entry. If *PWnn records exist in the replacement copy of the entry, they are removed and replaced by the information on the 1B0.