On Thursday, 07/06/2006 at 04:21 MST, Dave Wade <[EMAIL PROTECTED]> wrote: > --- "Hughes, Jim - OIT" <[EMAIL PROTECTED]> wrote: > > Should I be concerned with buffer overrun security > > exposures? > > Despite what others say I personally have seen buffer > run security exposures in the VSCS SNA console support > in VM where it was possible for one user to see > anothers console buffers, so exposing passwords. > The problem was I believe in VM/SP4 (might have been > 5) so its a very long time ago, and once identified it > was quickly fixed, but it was there. I don't remeber > the exact nature of the problem but it was similar to > an IP buffer run type issue as it involved passing > illegal lengths to the SNA *CCS service. We found it > whilst developing X.25 support. So buffers runs are > possible on the mainframe.
Naturally no one can claim that there are no bugs in z/VM. However, z/VM 5.1 has its Common Criteria EAL3+ evaluation which should give some warm fuzzies that (a) an accredited facility has evaluated the security characteristics of z/VM according to international standards, and (b) that we have an appropriate process to deal with any reported security/integrity problem. There have been (IIRC - it's been a couple of years since I looked) around a dozen or so security/integrity APARS against all of VM/XA SP2, VM/ESA, and z/VM to date. We also publish our "Security and Integrity Statement" in the General Information manual. Alan Altmark z/VM Development IBM Endicott
