IBM Support

PI51640: NEW FUNCTION (TRACKING NUMBER R007, R008, R009)

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as new function.

Error description

  • New function (tracking number R007, R008, R009)
    KEYWORDS: HCHECKER/K
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * All users of the IBM Communications Server for z/OS Version  *
    * 2 Release 1 and 2: FTP Server, MVRSHD, SMTPD, SNMP Agent     *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * New Function to provide support for three new IBM Health     *
    * Checker for z/OS application                                 *
    * health checks, CSAPP_MVRSHD_RHOSTS_DATA,                     *
    * CSAPP_SMTPD_MAIL_RELAY,                                      *
    * and CSAPP_SNMPAGENT_PUBLIC_COMMUNITY                         *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Apply PTF                                                    *
    ****************************************************************
    New Function to introduce three IBM Health Checker for z/OS
    application health checks to identify the following:
    - MVRSHD server is active and whether RSH clients are using
    RHOSTS.DATA datasets for authentication
    - SMTP server is configured as a mail relay
    - SNMP agent is configured with a community name of public
    

Problem conclusion

  • IBM suggests avoiding the use of MVRSHD servers.  The MVRSHD
    server supports the RSH and REXEC protocols which transfer user
    ID and password information in the clear.  There is also the
    potential of weak authentication for RSH clients using
    RHOSTS.DATA datasets.  This authentication method allows remote
    command execution without requiring the RSH client to supply a
    password.
    
    IBM suggests that the INBOUNDOPENLIMIT configuration statement
    be set to 0 for SMTP servers.  Specifying the INBOUNDOPENLIMIT
    statement to a valid non-zero value causes the SMTP server to
    open a listening port and implicitly become exploitable by
    remote users as a mail relay.
    
    IBM suggests not configuring a community name of public, nor
    permitting the SNMP agent to use the default community name of
    public.  Because the SNMP community name of public is a
    well-known name, it should not be used with community-based
    security due to security considerations.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI51640

  • Reported component name

    TCP/IP V3 MVS

  • Reported component ID

    5655HAL00

  • Reported release

    210

  • Status

    CLOSED UR1

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    YesSpecatt / New Function / Xsystem

  • Submitted date

    2015-10-30

  • Closed date

    2016-04-14

  • Last modified date

    2017-01-25

  • APAR is sysrouted FROM one or more of the following:

    PI51636

  • APAR is sysrouted TO one or more of the following:

    UI37013 UI37014

Modules/Macros

  • EZASNSTH EZABB01X EZASNAVA EZASNAC3 EZBSNMPA EZASNAA3 EZAFTPDM
    EZAAD0XI EZBSNMP6 EZBSNMPX EZASNSCM EZAAD0YO EZBRCRD  EZASNLMG
    

Fix information

  • Fixed component name

    TCP/IP V3 MVS

  • Fixed component ID

    5655HAL00

Applicable component levels

  • R220 PSY UI37014

       UP16/04/29 P F604

  • R210 PSY UI37013

       UP16/04/29 P F604

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Document information

More support for: z/OS family

Software version: 210

Reference #: PI51640

Modified date: 25 January 2017