Ray, PMFJI here, but as a regular application programmer (not a sysprog) I do not understand how the FTP JES option allowed is a configuration vulnerability.
Isn't the FTP JES option one of the ways that the IBM z/OS and CICS Explorer Eclipse-based products (and maybe other ISV Eclipse GUI's) provide to let you submit and review the results of compile and program test and bundle transmission jobs? If my FTP submitted jobs must have my userid+1 as the job name and my userid access is properly controlled by the ESM, how is that vulnerable? IOW, how is FTP JES submission any different from TSO SUBMIT? Peter -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Ray Overby Sent: Tuesday, May 28, 2019 11:44 AM To: [email protected] Subject: Re: Fwd: Just how secure are mainframes? | Trevor Eddolls This discussion on mainframe vulnerabilities has unfortunately broken down. I have been talking to mainframe people about vulnerabilities for the last 12 years. I have talked with people just like Bill Johnson. My discussions went just like this discussion did. The problem (as I saw it) was that discussing a “mainframe vulnerability” is too ambiguous. The discussion needs to be more specific. This led to categorizing vulnerabilities. When the vulnerabilities were categorized (which also defined their capabilities BUT does not allow the hacker to generate an exploit) the discussions evolved to the point that not only did the mainframe people better understand the vulnerabilities and their associated risk but also allowed C level, managers, Auditors, Security, Pen testers, and Risk people to understand and participate in the vulnerability discussions. For example, you can classify mainframe vulnerabilities based upon their source – configuration or code based. Classifying the vulnerability eliminates ambiguities that are inherent when you don’t classify. It is these ambiguities that can cause the discussion to break down. For example, how would the discussion have changed if the vulnerabilities under discussion were classified as follows: -Configuration based vulnerabilities * APF authorized data sets not adequately protected * SMP/E data sets not adequately protected * FTP anonymous allowed * FTP JES option allowed * Outgoing TCPIP traffic not protected -Code based vulnerabilities * Storage alteration * Trap door * System Instability <Snipped> -- This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
