GETENTRY exposes old passwords

book

Article ID: 111422

calendar_today

Updated On:

Products

CA VM:Secure for z/VM

Issue/Introduction

GETENTRY without the undocumented WITHPASS option masks the current passwords on the USER, IDENTITY, and MDISK statements, and removes the *PW00= record, but it leaves the old password records (*PW01=, *PW02=, etc) intact. It should scrub the password history statements unless WITHPASS is used.

Environment

Release:
Component: VMX

Resolution

VM:Secure PTF SO05000 corrects this problem/exposure.
GETENTRY now correctly removes all password history records (*PWnn=) from the returned directory entry, whereas previously only the record(s) for the current password (*PW00=) were removed.

 

Additional Information

When/if REPENTRY is done for the GETENTRY item, any/all password history records are restored to the replaced entry from the original copy of the entry on the VM:Secure directory disk (1B0), so the existing password history (maintained by VM:Secure) remains intact for the entry.
If *PWnn records exist in the replacement copy of the entry, they are removed and replaced by the information on the 1B0.