I have no hifalutin wisdom to share, but our experience was different. Our
highly attentive and connected IBM Client Technical Specialist (CTS)
directly emailed us sysprogs the day after Xmas. I was on vacation at the
time, but my colleague Tom Brennan pulled the PTFs, installed them,
migrated them to the sandbox for checkout, and had the new level ready for
the scheduled weekly IPL of our development sysplex. That level will now
migrate to production at the next scheduled opportunity. Done and done.
We have nothing to complain about.
.
.
JO.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
626-302-7535 Office
323-715-0595 Mobile
jo.skip.robin...@sce.com
From: "Knutson, Sam" <sknut...@geico.com>
To: IBM-MAIN@LISTSERV.UA.EDU,
Date: 01/06/2013 07:02 PM
Subject: Re: Security vulnerability in IBM HTTP Server for z/OS
Version 5.3 (PM79239)
Sent by: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU>
Strangely enough the only thing I found to complain about in this incident
was the private notifications by phone/email to (in our case and I expect
a non-trivial percentage) incorrect management contacts for the
corporation on a holiday week. These notifications provided details
including APAR numbers and descriptions which by policy IBM does not make
visible in IBMLink and resulted in a great deal of stump pounding and
wasted time but did not actually tell us anything we did not already get
notified of through automated email by previously having followed the
documented procedure. The notice which I expect was inconsistent being
made by many different IBM'ers and on a holiday week in much of the world
generated frustration at some sites including mine.
IBM has been advertising that customers should sign-up for the Security
Portal for some time in public including at SHARE and z University.
I am signed up and get email notifications when new alerts and files are
posted. It works.
The recent arrival of an APAR with a higher than previously seen CVSS
score triggered activity that was not the expected procedure. My only
questions to IBM on this will be what the procedure is and has it changed.
My feeling was that someone called an audible. If there is a procedure
to proactively contact sites when Alerts with a CVSS score higher than n
are posted I would like to know this and have the opportunity to maintain
our contact preference for that in ResourceLink. If there is to be a
notification I would prefer it to have been simply "IBM has recently
posted important security patches for z/OS please verify that your company
has signed up for the System z Security Portal and reviewed them". Perhaps
the separate approval process for the security portal could be eliminated
or streamlined and simply allow any SR/ResourceLink user with access to a
current entitlement to view the alerts for those entitlements. I don't
know if that is feasible but I do recall that not that many years ago we
had nothing there was no way to find out what the APARs/PTFs were other
than by bumping into them. So evolution here is possible.
The portal provides HOLDDATA/SOURCEID to allow you to check on missing
Security and Integrity fixes on a regular basis and to verify that as part
of your preventative service you have included all the current fixes if
you wish to do so. It works. It insures that only authenticated
customers can easily get the list of security and integrity fixes which is
an interesting starting point for someone trying to engineer an exploit.
Many large companies have weighed in with IBM that given the sometimes
slower patch/service cycle on the mainframe and the focus on stability
instead of quick patching they don't want any changes by IBM to a full
disclosure or a greater level of disclosure than what is already provided.
If IBM asked me today what the business wants I would reaffirm that. You
need to look hard in the mirror and think as a technical guy I want to
know everything but what does my chief security officer want? What does
my CIO/CEO want?
There may be opportunities to improve but I will say as someone who has
opened Integrity APARs and seen IBM methodology discussed and in action to
provide OS Integrity I think they do an industry leading job. It would be
nice if you could download the security information completely automated
on z/OS using a certificate or userid/password so you didn't have to get
it as a human using a browser at the portal. There are opportunities to
improve.
Security and Integrity fixes are not HIPER they are different and weather
you want to push them out at the same rate as defects which are
potentially impacting availability is best left to the customer. The
current process lets you do that by not incorrectly marking them HIPER.
IMHO every Security/Integrity Alert should not be a Red Alert, they should
not be flagged HIPER, and IBM should never be in the business of stabbing
into customer sites calling and emailing the sky is falling when there are
documented channels to get this information. In this case a Red Alert
might have been a good alternative since they chose to deviate from the
normal process at least that would have been likely to reach the right
audience in a timely fashion. I agree with you that every site should be
signed up for Red Alerts and Security Alerts and of course trumpets there
should have been trumpets.
That my .02.
Best Regards,
Sam Knutson, GEICO
System z Team Leader
mailto:sknut...@geico.com
(office) 301.986.3574
(cell) 301.996.1318
"Think big, act bold, start simple, grow fast..."
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
Behalf Of R.S.
Sent: Saturday, January 05, 2013 10:25 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Security vulnerability in IBM HTTP Server for z/OS Version
5.3 (PM79239)
I agree that every z/OS customer should be signed up for both portals,
but... HOW CUSTOMER WOULD LEARN ABOUT IT?
Let's imagine: a comany buys mainframe, hire people, the people get some
trainigng (JCL, z/OS, SMP/E, many, many more...). Those people are wiling
to learn, to they read documentation and start using mainframe.
WHO SHOULD TELL THEM ABOUT THOSE PORTALS?
I think it is up to IBM to urge every customer to sign up some employees
to the portals. I repeat: EVERY customer.
Everytime I hear "you should know this" I ask "did I have a chance to know
it?".
BTW: I'm signed to both portals. Redalert is better, because it notifies
me by email about news (no details in the mail AFAIR), but security
portal does not send notifications. Maybe this is matter of some
personalization?
BTW2: We still don't know details about the security hole, but it must
be BIG HOLE, because of methods of communication which were used
according to notify customers about those holes.
Mails, phones, only heralds were not engaged (yet) ;-)))
Regards
--
Radoslaw Skorupka
Lodz, Poland
W dniu 2013-01-04 19:35, Peter Relson pisze:
> It is somewhat alarming that several posted that they are not signed up
> for the security portal. Someone also posted that they are signed up for
> red alerts and asked why it was not sent that way.
>
> As I understand it, a red alert was sent out (perhaps this past July)
> stating that the method for sending and alerting about security and
> integrity PTFs is via the security portal. Simply, the security portal
is
> the red alert process for security and integrity PTFs.
>
> Perhaps I am oversimplifying, but it seems that every customer should
make
> sure that they
> -- are signed up for red alerts
> -- pay attention to those red alerts
> -- sign up for the security portal.
> This should not be new news.
>
> It should be well understood that z/OS provides few if any details on
> integrity APARs.
>
> The PTFs were available via the security portal on December 20. I have
no
> information about why they were not found the day after Christmas when
> someone looked at www.ibm.com/support.
> But I'm glad to hear they are there now.
>
> Peter Relson
> z/OS Core Technology Design
>
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
