IBM Support

OA50122: NEW FUNCTION (TRACKING NUMBER R007, R008, R009)

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as new function.

Error description

  • New function
    KEYWORDS: HCHECKER/K
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * All users of the IBM Communications Server for z/OS Version  *
    * 2 Release 1 and 2: MVRSHD, SMTPD, SNMP Agent                 *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * New Function to provide support for three new z/OS Health    *
    * Checker Application                                          *
    * health checks, CSAPP_MVRSHD_RHOSTS_DATA,                     *
    * CSAPP_SMTPD_MAIL_RELAY,                                      *
    * and CSAPP_SNMPAGENT_PUBLIC_COMMUNITY                         *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Apply PTF                                                    *
    ****************************************************************
    New Function to introduce three z/OS Health Checker
    Application health checks to identify the following:
    - MVRSHD server is active and whether RSH clients are using
    RHOSTS.DATA datasets for authentication
    - SMTP server is configured as a mail relay
    - SNMP agent is configured with a community name of public
    

Problem conclusion

  • IBM suggests avoiding the use of MVRSHD servers.  The MVRSHD
    server supports the RSH and REXEC protocols which transfer user
    ID and
    password information in the clear.  There is also the potential
    of weak
    authentication for RSH clients using RHOSTS.DATA datasets.  This
    
    authentication method allows remote command execution without
    requiring
    the RSH client to supply a password.
    
    IBM suggests that the INBOUNDOPENLIMIT configuration statement
    be set to 0 for SMTP servers.  Specifying the INBOUNDOPENLIMIT
    statement to a valid non-zero value causes the SMTP server to
    open a listening port and implicitly become exploitable by
    remote
    users as a mail relay.
    
    IBM suggests not configuring a community name of public, nor
    permitting the SNMP agent to use the default community name of
    public.  Because the SNMP community name of public is a
    well-known
    name, it should not be used with community-based security due to
    
    security considerations.
    

Temporary fix

Comments

APAR Information

  • APAR number

    OA50122

  • Reported component name

    VTAM V4 MVS/ESA

  • Reported component ID

    569511701

  • Reported release

    210

  • Status

    CLOSED UR1

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    YesSpecatt / New Function / Xsystem

  • Submitted date

    2016-03-14

  • Closed date

    2016-04-13

  • Last modified date

    2017-01-25

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UA81331 UA81332

Modules/Macros

  • ISTHCAC1 ISTHCMSG ISTHCCRD ISTHCCK2 ISTHCDAT ISTHCIUT
    

Fix information

  • Fixed component name

    VTAM V4 MVS/ESA

  • Fixed component ID

    569511701

Applicable component levels

  • R210 PSY UA81331

       UP16/05/03 P F605

  • R220 PSY UA81332

       UP16/05/03 P F605

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Document information

More support for: z/OS family

Software version: 210

Reference #: OA50122

Modified date: 25 January 2017