W dniu 2018-01-11 o 23:03, Walt Farrell pisze:
On Wed, 10 Jan 2018 15:26:04 -0600, Tom Marchant <m42tom-ibmm...@yahoo.com>
wrote:
On Wed, 10 Jan 2018 21:44:29 +0100, R.S. wrote:
BTW: It's worth to remember chances the vulnerability would really
compromise system security are really small. (IMHO)
I agree. Especially since the method of exploiting it involves flushing
cache and testing to see what memory location was reloaded into
cache. In a real system the amount of cache activity is too high for
the technique to be reliable. And the attacking task would use a lot
of CPU, making it unlikely that WLM would allow it to complete its
work without being interrupted frequently.
Assuming, of course, that the attack occurs on a heavily-used production system. On a
more lightly-used system, perhaps a test system with access to shared data or with a
shared security database or shared ICSF data such that credentials "stolen" on
one system could be used on another, it might be more successful.
That would come down to other factors of data segregation and security, and
require additional analysis.
IMHO shared sesnsitive data like RACF db or ICSF PKDS is not an issue -
one should not share such information between production and test.
What's much more interesting is:
Is it possible to perform attack from sandbox system (LPAR) to access
data from production system working in another LPAR on the same CPC?
Let's assume all LPARs are lightly used and other assumption helping
attacker to perform the attack...
Regards
--
Radoslaw Skorupka
Lodz, Poland
======================================================================
--
Treść tej wiadomości może zawierać informacje prawnie chronione Banku
przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie
jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem
niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania
adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie
lub inne działanie o podobnym charakterze jest prawnie zabronione i może być
karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie
zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość
włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku.
This e-mail may contain legally privileged information of the Bank and is
intended solely for business use of the addressee. This e-mail may only be
received by the addressee and may not be disclosed to any third parties. If you
are not the intended addressee of this e-mail or the employee authorized to
forward it to the addressee, be advised that any dissemination, copying,
distribution or any other similar activity is legally prohibited and may be
punishable. If you received this e-mail by mistake please advise the sender
immediately by using the reply facility in your e-mail software and delete
permanently this e-mail including any copies of it either printed or saved to
hard drive.
mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa,
www.mBank.pl, e-mail: kont...@mbank.plsąd Rejonowy dla m. st. Warszawy XII
Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców
KRS 0000025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2016 r. kapitał
zakładowy mBanku S.A. (w całości wpłacony) wynosi 168.955.696 złotych.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
