MSF SECURE/NOSECURE security vulnerability in OPS;4.3
Article ID: 189308
Updated On:
Products
OPS/MVS Event Management & Automation
Issue/Introduction
As there is no target security authorisation checking done yet for cross-system MSF actions in OPS/MVS, we have protected our production systems from unauthorised actions from test systems by defining the MSF links to test systems as NOSECURE in our production systems.
So, on PROD system, the MSF link to test system is defined as NOSECURE.
But, we noticed that via OPS;4.3, we are still able to cancel an OSF server from a test lpar on a PROD system.
We would have expected that this operation is seen as an UPDATE action and therefore wouldn't be granted due to the NOSECURE implementation...
Environment
Release : 13.5 and below
Component : OPS/MVS
Resolution
This area of code is to be addressed with the design change to use the target system userid security credentials. This change in cross-system security functionality will be coming in the next release of OPS/MVS.
For r13.5 and below, refer to the documentation section title Security Considerations 2 for further information.
For r13.5 and below, refer to the documentation section title Security Considerations 2 for further information.
Feedback
Yes
No
Powered by
