Are You Exposed to Security Vulnerabilities with Your Use of Open-Source Ports on z/OS?
Over the past couple of years, increased Zowe adoption and the push to integrate the mainframe into platform-neutral DevOps pipelines have resulted in greater use of Unix System Services (USS).
With increased use of USS has come widespread acceptance of Rocket’s z/OS ports of common open-source languages and tools that are not bundled with USS such as Git, OpenSSL, cURL, Python, Bash, Make and others. These popular open-source ports are freely available for anyone to download from Rocket’s public download site. However, most users are unaware that the public download site does not include the latest available updates and CVE fixes to these ports.
Vulnerability Remediation and Ongoing Maintenance from Experts
In early 2021, Rocket introduced commercial open-source support to minimize the need for DIY remediation and maintenance and mitigate the risks posed by waiting for CVE fixes or version currency updates. By leveraging a Rocket support contract, customers get immediate access to all CVE fixes and version currency updates rather than waiting six months to obtain the same updates.
As of publishing time for this blog post the following CVEs are resolved for our customers on support but very much un-resolved for the rest of the user community:
Additionally, a support contract provides the option to download and install our ports without requiring an internet connection from your mainframe to a conda repository for an added layer of security.
Rocket’s Rapid Porting Infrastructure
Coinciding with the introduction of this two-tier access and support system, Rocket has rolled out a new level of porting automation infrastructure to ensure that when a new CVE is reported, a fix is quickly available on the z/OS port. DevOps pipelines that automate security scans, builds, testing and promotion are table stakes now, which is why Rocket has long been producing our z/OS ports in this way. Rocket’s differentiator is the introduction of additional automation at the front end to perform automated porting.
Rocket has developed its own port of GCC and glibc that inject the operating-system-specific code required to adapt an open-source program to z/OS directly into the binaries, without requiring any source code edits. Rocket also has an automated reporting system listening to NIST announcements regarding new CVEs for our ports to take immediate action producing z/OS versions of all fixes.
Ensure You’re Running with the Latest and Most Secure Builds
Though it is possible to obtain the latest Git, Bash and OpenSSL ports from IBM through Rocket-IBM partnerships, this is not the case for cURL or any of other ports developed by Rocket. If you want to be assured you are running the most secure builds possible of the z/OS open-source ports your organization depends on, reach out to our support teams to obtain your ports directly from Rocket’s secure conda channel server, or using one of Rocket’s bundle options for air-gapped mainframes.