search cancel

MSF SECURE/NOSECURE security vulnerability in OPS;4.3

book

Article ID: 189308

calendar_today

Updated On:

Products

OPS/MVS Event Management & Automation

Issue/Introduction

As there is no target security authorisation checking done yet for cross-system MSF actions in OPS/MVS, we have protected our production systems from unauthorised actions from test systems by defining the MSF links to test systems as NOSECURE in our production systems.

So, on PROD system, the MSF link to test system is defined as NOSECURE.

But, we noticed that via OPS;4.3, we are still able to cancel an OSF server from a test lpar on a PROD system.
We would have expected that this operation is seen as an UPDATE action and therefore wouldn't be granted due to the NOSECURE implementation...

 

Environment

Release : 13.5 and below

Component : OPS/MVS

Resolution

This area of code is to be addressed with the design change to use the target system userid security credentials. This change in cross-system security functionality will be coming in the next release of OPS/MVS.  
For r13.5 and below, refer to the documentation section title Security Considerations 2 for further information.