MSF SECURE/NOSECURE security vulnerability in OPS;4.3
search cancel

MSF SECURE/NOSECURE security vulnerability in OPS;4.3


Article ID: 189308


Updated On:


OPS/MVS Event Management & Automation


As there is no target security authorisation checking done yet for cross-system MSF actions in OPS/MVS, we have protected our production systems from unauthorised actions from test systems by defining the MSF links to test systems as NOSECURE in our production systems.

So, on PROD system, the MSF link to test system is defined as NOSECURE.

But, we noticed that via OPS;4.3, we are still able to cancel an OSF server from a test lpar on a PROD system.
We would have expected that this operation is seen as an UPDATE action and therefore wouldn't be granted due to the NOSECURE implementation...



Release : 13.5 and below

Component : OPS/MVS


This area of code is to be addressed with the design change to use the target system userid security credentials. This change in cross-system security functionality will be coming in the next release of OPS/MVS.  
For r13.5 and below, refer to the documentation section title Security Considerations 2 for further information.