| Author |
Any chance VAX will ever see this fix? |
johnklos
Member
Posts: 5
Location: California, USA, Earth
Joined: 30.09.16 |
| Posted on February 20 2018 15:40 |
|
|
https://www.theregister.co.uk/2018/02/06/openvms_vulnerability/
The CVE will be made public in March. Does anyone know if the source for DCL is available for actual humans so that someone can patch it to remove these issues?
If not, what other actions could be taken to reduce the exploitability of this? Or will we have to wait for more details from the CVE?
--
http://vax.zia.io/ |
|
|
| Author |
RE: Any chance VAX will ever see this fix? |
abrsvc
Member
Posts: 108
Joined: 12.03.10 |
| Posted on February 21 2018 01:44 |
|
|
I have researched the problem and am attempting to create a "fix". Since I do not have the sources nor access to them, I am trying to develop a patch that can be applied to the appropriate image to address this. In the meantime, removing the privs from the installed image will prevent this problem as stated in comp.os.vms. Realize that if your site does NOT utilize CLD files, then disabling the privs will NOT change any behavior.
This is a problem ONLY when using CLD files to modify/create commands.
Dan |
|
|
| Author |
RE: Any chance VAX will ever see this fix? |
malmberg
Moderator
Posts: 530
Joined: 15.04.08 |
| Posted on February 22 2018 02:38 |
|
|
Anyone can create a .CLD file for use. So unless you remove the privileges from the image, lacking an official patch, you are vulnerable.
|
|
|
| Author |
RE: Any chance VAX will ever see this fix? |
Bruce Claremont
Member
Posts: 623
Joined: 07.01.10 |
| Posted on February 23 2018 09:45 |
|
|
We placed an article on mitigating the issue at this link:
http://www.migrationspecialties.com/pdf/CDU_VulnerabilityMitigation.pdf |
|
|
