A fix is available
APAR status
Closed as program error.
Error description
PE Information: Users Affected: This processing was introduced with APAR OA43999, PTFs UA90719, UA90720 and UA90721 for HRF7770, HRF7780 and HRF7790 respectively. User Impact: When RUN=NO is specified on ICHEACTN for the PASSWORD, PHRASE, OLDPSWDS or OLDPHRES field there is the possibility of an ABEND or overlay due to processing the input field early in RACF Manager processing. The specific issues to be addressed: 1) Attempts to process password/phrase data when RUN=NO specified. 2) Missing length checking on password or phrase, may encrypt more than what will fit in target buffer. 3) Will try to encrypt unknown data on a DELETE request. APAR OA43999 implemented the desired function but introduced a new problem. If KDFAES is active and users have KDFAES encrypted passwords or phrases, do not back off the original PTF. Doing so could prevent users from accessing the system.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: Users who run programs which make * * calls to the RACF ICHEINTY service * * which contain ICHEACTN requests which * * perform one of the following actions * * on a password, password phrase or * * history field. * * 1. specify RUN=NO. * * 2. delete the field. * * 3. Specify data in excess of 100 bytes. * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: * **************************************************************** If an ICHEACTN specifies the RUN=NO option, an attempt may still be made to hash the password, phrase or history data specified in the ICHEACTN request. If RUN=NO is specified, it is possible that the ICHEACTN contains invalid data pointer and data length information, because the program which sets RUN=NO may not have set a valid data pointer and length. Because RUN=NO was specified, RACF should not try to hash the data. When RUN=YES, RACF fails to perform adequate length checking of the input password, password phrase and history data prior to hashing the data in certain cases. RACF also fails to properly detect a DELETE request for password, password phrase or history data and may attempt to hash arbitrary data on a DELETE request.
Problem conclusion
RACF properly recognizes the RUN=NO and DELETE options on ICHEACTN and is careful to not attempt to hash any data when RUN=NO or DELETE is specified. RACF also adds some additional length checking on password, password phrase and history data when hashing.
Temporary fix
********* * HIPER * *********
Comments
APAR Information
APAR number
OA46777
Reported component name
RACF
Reported component ID
5752XXH00
Reported release
780
Status
CLOSED PER
PE
YesPE
HIPER
YesHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2014-12-16
Closed date
2015-01-23
Last modified date
2015-03-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UA76136 UA76138 UA76137
Modules/Macros
IRRMAF00
Fix information
Fixed component name
RACF
Fixed component ID
5752XXH00
Applicable component levels
R770 PSY UA76136
UP15/02/04 P F502 «
R780 PSY UA76137
UP15/02/04 P F502 «
R790 PSY UA76138
UP15/02/04 P F502 «
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"780","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"780","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
02 March 2015