On Tue, 8 May 2012 18:31:56 -0400, Tony Harminc <[email protected]> wrote:
>One can learn quite a bit from these published documents, not least >lists of fixes that must be applied in order to pass the claimed >security specifications, from which one might reasonably infer that >the fixes are for software vulnerabilities. Sometimes the fixes that IBM lists in that document represent vulnerabilities, but sometimes they are merely PTFs that provide late-shipping functional changes. IBM is required for Common Criteria purposes to run the tests with the "final" version of the system, and if functional changes to a component are made via PTF after the "GA" ServerPac tape is produced then the customers who want to run the evaluated/certified version of z/OS are also required to install those PTFs if IBM used them during testing. (Note: in the latter years of my career with IBM I was the technical architect for our z/OS Common Criteria certification efforts and was the person responsible for the Security Target and for input to the Planning Guide.) >Obviously IBM has much >jucier internal versions of these documents. I don't know if there is >an official way to get hold of this kind of material, either from IBM >or from your national government. In any case, the weaknesses >described are almost certainly long since fixed. > As IBMers have mentioned here in the past, and as Mark Jacobs mentioned earlier in this thread, IBM has a web site that provides -some- information about integrity and security fixes for z/OS and z/VM, but the information is not made public. It is made available only to authorized representatives of z/OS and z/VM customers, and even then you do not learn what the actual exposure is; only that a problem exists, the CVSS score for the vulnerability, and the APAR/PTF you should install to close the exposure. Even the general rank-and-file IBM population does not have access to details about security vulnerabilities for z/OS and z/VM, and even most IBMers developing software for z/OS and z/VM do not have access to it except possibly for the system components they work on. IBM treats information about vulnerabilities in z/OS and z/VM as confidential and highly sensitive, as part of their efforts to protect their customers. And that is done in large part at the request of the IBM customer base. As Mark mentioned, you can visit http://www-03.ibm.com/systems/z/advantages/security/integrity_sub.html if you are an authorized representative of a z/OS or z/VM site, and learn how to become authorized to view the web site that has the Security/Integrity information for z/OS or z/VM. -- Walt (who no longer has access to that kind of information) ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
