TPX team has published  TPX Session Management 5.4 Vulnerability. How to check if TPX instance is impacted?

Release: 5.4

Component: TPX for Z/OS

PTF LU10629 (marked in error) and corrected by LU18021 were introduced to mitigate the potential security risk caused by new messages from an External Security System (ESM) during TPX signon, by adding some extra messages/return codes to the list and changing the default message (#DFLTMSG) action from A (allow) to R (reject).


Some background information about the SAMT:

- TOPS, RACF and SAF use 'Return Codes' for authentication.
- ACF2 uses 'Message Ids' for authentication.

In the SAMT (under SMRT option 8):
Return Code/Message ID - This column specifies the return code or message ID of the security system return code or message.   

Entries stating with:
‘#’ are MESSAGE Ids
without the ‘#’ are Return codes.

If the messages or return codes are not listed in the SAMT, then TPX will follow the instructions found in the:
#DFLTMSG: for the messages
#DFLTRC: for the Return Codes.

These are the options available to be used under the ACTION column:               
  A - TPX allows the user to continue with the sign-on.                 
 R - TPX rejects the user's attempt to sign-on and displays any messages at the TPX logo panel.
 P - TPX reprompts the user for logon information.    
 L - TPX logs off the terminal, returning it to VTAM.  

Note if the ACTION is blank it will behave like 'R'(Reject).  
When leaving it blank for #DFLTMSG, the TPX regions are NOT impacted by this vulnerability. However instead of leaving the action field blank, the best practice for #DFLTMSG and #DFLTRC is to specify an action of 'R' and the cursor position SNUSERV.


In addition, it is strongly recommended:

- applying PTF LU18021 so the sample library in hlq.CB0VDATV(ADMIN1)  is updated with the new values, message ids and message codes.

- following the steps described in the TPX Session Management 5.4 Vulnerability  to manually add the messages, return codes and values to the live SAMTs (RACF, TOPS, SAF and ACF2), since the PTF will only update the sample library (for reference), and won’t change the live ones.