SupportConnect - Important Security Notice for CAIRIM LMP for z/OS

Important Security Notice for
CAIRIM LMP for z/OS

Last Updated: May 2, 2006

CA Technical Support is alerting customers to a potential vulnerability issue associated with our CAIRIM LMP solution for z/OS. CAIRIM is delivered as part of CA's z/OS Common Services and the LMP component provides licensing services to many of CA's z/OS solutions. IBM Global Services has detected an integrity problem, which could be exploited by an expert user of a z/OS system that utilizes CA's CAIRIM LMP component. We have been working with IBM Global Services to understand the nature of the problem and to make certain that the remedy provided addresses the problem completely.

CA has confirmed the presence of this vulnerability and has developed a corrective update that provides comprehensive protection for our customers. Additional Quality Assurance testing has been completed and an official published solution has been made available as of May 2, 2006

The vulnerability is an integrity exposure associated with the way the CAIRIM LMP SVC operates in conjunction with the legitimate SVC invoking code. An attacker can potentially utilize a problem state program to take advantage of this integrity exposure and obtain supervisor state, key 0. Once the attacker achieves supervisor state, key 0, they could possibly then update any system memory areas he chooses. An attacker can use a carefully crafted program in supervisor state to potentially compromise system security settings and gain unauthorized access to other system related resources. Although recently discovered, this exposure has been present in the CAIRIM LMP code since its inception.

Customers are advised to apply PTF QO78541 as soon as possible to ensure that computing environments are properly protected.

Affected products

All CA z/OS solutions that require CAIRIM LMP to be installed for licensing services. A list of affected products is available by clicking here.

Affected platforms

All z/OS releases

Prerequisite conditions for the vulnerability to be exploitable

You must be running CAIRIM LMP on a z/OS system.

Determining if you are affected

You can verify the existence of CAIRIM LMP on your system by using the IPCS Findmod (FMOD) command to examine storage in your z/OS LPA:

  1. Access IPCS from within TSO/ISPF
  2. Issue the following IPCS commands:
    SETDEF ACTIVE
    FMOD CAIRIMC

If a valid address for CAIRIMC is displayed, then CAIRIM LMP has been installed on the system.

If CAIRIMC is present the display will be comparable to:

BLS18462I Symbol X'C3C4C5C9 C7C3F0F0 F2F4C040 40404040
40404040 40404040 40404040 404040' is not valid - no
definition stored
BLS18016I AMODE(31) entry point CAIRIMC is at 0D5EB000

CAIRIMC
LIST 0D5EB000. ASID(X'0001') LENGTH(X'21A0') MODULE(Cairimc)

Note the 0D5EB000 address is given for CAIRIMC meaning that CAIRIM LMP is installed.

If CAIRIM LMP is not installed the FMOD CAIRIMC display will look similar to:

BLS18462I Symbol X'C3C4C5C9 C7C3F0F0 F2F4C040 40404040
40404040 40404040 40404040 404040' is not valid - no
definition stored
BLS18462I Symbol X'C3C4C5C9 C7C3F0F0 F2F3C040 40404040
40404040 40404040
40404040 404040' is not valid - no definition stored
BLS18104I Symbol LPDECAIRIMC not found
BLS18015I Entry point CAIRIMC not found

In this case note the "not found" clause.

Perquisite Maintenance

Before applying the corrective patch for this vulnerability, the following CAIRIM PTF maintenance must already be applied:

QO66290
QO66300
QO75220

Corrective Patch Download

The corrective patch can be downloaded by clicking here.