A fix is available
APAR status
Closed as new function.
Error description
New function (tracking number R007, R008, R009) KEYWORDS: HCHECKER/K
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * All users of the IBM Communications Server for z/OS Version * * 2 Release 1 and 2: FTP Server, MVRSHD, SMTPD, SNMP Agent * **************************************************************** * PROBLEM DESCRIPTION: * * New Function to provide support for three new IBM Health * * Checker for z/OS application * * health checks, CSAPP_MVRSHD_RHOSTS_DATA, * * CSAPP_SMTPD_MAIL_RELAY, * * and CSAPP_SNMPAGENT_PUBLIC_COMMUNITY * **************************************************************** * RECOMMENDATION: * * Apply PTF * **************************************************************** New Function to introduce three IBM Health Checker for z/OS application health checks to identify the following: - MVRSHD server is active and whether RSH clients are using RHOSTS.DATA datasets for authentication - SMTP server is configured as a mail relay - SNMP agent is configured with a community name of public
Problem conclusion
IBM suggests avoiding the use of MVRSHD servers. The MVRSHD server supports the RSH and REXEC protocols which transfer user ID and password information in the clear. There is also the potential of weak authentication for RSH clients using RHOSTS.DATA datasets. This authentication method allows remote command execution without requiring the RSH client to supply a password. IBM suggests that the INBOUNDOPENLIMIT configuration statement be set to 0 for SMTP servers. Specifying the INBOUNDOPENLIMIT statement to a valid non-zero value causes the SMTP server to open a listening port and implicitly become exploitable by remote users as a mail relay. IBM suggests not configuring a community name of public, nor permitting the SNMP agent to use the default community name of public. Because the SNMP community name of public is a well-known name, it should not be used with community-based security due to security considerations.
Temporary fix
Comments
APAR Information
APAR number
PI51640
Reported component name
TCP/IP V3 MVS
Reported component ID
5655HAL00
Reported release
210
Status
CLOSED UR1
PE
NoPE
HIPER
NoHIPER
Special Attention
YesSpecatt / New Function / Xsystem
Submitted date
2015-10-30
Closed date
2016-04-14
Last modified date
2017-01-25
APAR is sysrouted FROM one or more of the following:
PI51636
APAR is sysrouted TO one or more of the following:
UI37013 UI37014
Modules/Macros
EZASNSTH EZABB01X EZASNAVA EZASNAC3 EZBSNMPA EZASNAA3 EZAFTPDM EZAAD0XI EZBSNMP6 EZBSNMPX EZASNSCM EZAAD0YO EZBRCRD EZASNLMG
Fix information
Fixed component name
TCP/IP V3 MVS
Fixed component ID
5655HAL00
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"210","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSCY4DZ","label":"DO NOT USE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"210","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
25 January 2017