Thursday, April 17, 2014

(Not) affected by the heartbleed vulnerability

Let me start by quoting Wikipedia to define what the heartbleed vulnerability is about : "Heartbleed is a security bug in the open-source OpenSSL cryptography library, widely used to implement the Internet's Transport Layer Security (TLS) protocol. This vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension. A fixed version of OpenSSL was released on April 7, 2014, at the same time as Heartbleed was publicly disclosed. At that time, some 17 percent (around half a million) of the Internet's secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers' private keys and users' session cookies and passwords. The Electronic Frontier Foundation, Ars Technica, and Bruce Schneier all deemed the Heartbleed bug "catastrophic". Forbes cybersecurity columnist Joseph Steinberg wrote, "Some might argue that [Heartbleed] is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet."

Does it have any impact on our mainframe or IBM storage environments ?
Well, if you do a search on the Support site, you get more than a hundred hits on 'heartbleed'. I see that practically all indicate 'not affected by the OpenSSL heartbleed vulnerability'. Let me give some of them :
  • TS7650, TS7650G, TS7680
  • TS7700, TS7720, TS7740
  • TS3500, TS11x0, 3592-C07
  • XIV Gen2
  • CICS Transaction Server for VSE/ESA 1.1.1, CICS Transaction Server for z/OS 
  • DS8100, DS8300, DS8700, DS8800 and DS8870 prior to Release 7.2 
  • OpenSSH for z/OS
The only one I found so far that is affected is XIV Gen3.
"XIV management and CIMOM uses SSL to provide confidentiality and integrity of management communications. This vulnerability means that an attacker can potentially compromise management communication, gaining access to user credentials and thereby to unauthorized management access of an exposed system. Since storage management is usually on an internal and separate network, exposure to this vulnerability is limited to users with access to the management network.
The impact is limited to management communication only, as XIV does not use SSL encryption in the data path".

Affected products and versions are : "XIV Gen3 systems running microcode versions 11.4.1 or 11.4.1.a are vulnerable via management and CIMOM ports. Versions 11.3.0, 11.3.0.a and 11.3.1 are vulnerable only via the CIMOM port. XIV Gen3 systems running older microcode versions are not affected. XIV Gen2 systems are not affected".

You can find all additional information for XIV Gen3 over here.

Tuesday, April 8, 2014

RealDolmen System z e-zine 21 : Anniversary edition #mainframe50

The 21st issue of our RealDolmen System z Newsletter was sent out yesterday. You can download it over here. Just like the last time, there's just one English version. No more Dutch or French versions. Do go and take a look at it. There's some contect that hasn't been on the blog. perhaps I'll put my contribution on OpenStack here as well in the coming days.

The content : here's the introduction that was sent along :
Today we celebrate the 50th anniversary of the mainframe. IBM announced the S/360 mainframe on this very day emerging from a 5 billion dollar investment initiated by its former president Thomas Watson Jr. And just like with any anniversary you can do two things. On the one hand you can reminisce about the past, celebrate important achievements and tell heroic stories. On the other hand it’s always the perfect moment to look towards the future and determine future strategies in order to hold your place in a competitive world. Of course today we will do a bit of both since one can learn a lot from the past and we need to keep an open mind towards the future. You can read all details in this newsletter.

We’ll give you an overview of some sites, happenings and social media which are giving a lot of attention to this anniversary. But we will also point out a couple of solutions and trends that are definitely positioning the mainframe in the future. One of those items we already mentioned a couple of times in our blog is OpenStack. This is also becoming a very relevant platform for our mainframe. Next to that we’ll also introduce IBM Wave for z/VM to you. These solutions point towards some future accents like ease of use, bridging the knowledge gap and open standards with software defined environments.

Finally, we still have our usual entries with recent announcements, interesting blog entries, EOS dates, hints and tips and our agenda.

Enjoy the reading !

Tuesday, April 1, 2014

Announcement : Price change - selected DS8870 disk drives

Today IBM issues the following announcement : 'Price change: Selected DS8870 Disk Drives (ZA14-1121)'. Effective today "IBM announces a list price decrease on Selected DS8870 Disk Drives".

So this is a price reduction for the following disk drives on the DS8870 : 146 GB 15krpm FDE disk drive, 300 GB 15krpm FDE disk drive, 600 GB 10krpm FDE disk drive, 1.2 TB 10krpm FDE disk drive, 4 TB 7.2krpm FDE disk drive.

Did I already tell you that it's effective as of today. You never know but I just wonder whether I'll have to add a little comment to this tomorrow ?