By default, when it receives a new data file, IBM Sterling Connect:Direct for UNIX creates the file with permissions 664. These permissions, which give all local users read access to the file, may not be appropriate when Connect:Direct is used to receive sensitive information. Connect:Direct users should assess the vulnerability in the context of the data that Connect:Direct receives and immediately apply the fix if the vulnerability leads to sensitive data being exposed.
CVEID: CVE-2016-0380**
DESCRIPTION:** IBM Sterling Connect:Direct for UNIX creates destination files with permissions that specify group-owner read and write and world read which could lead to a local user obtaining sensitive information.
CVSS Base Score: 4
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/112246 _for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
IBM Sterling Connect:Direct for Unix 4.2.0
IBM Sterling Connect:Direct for Unix 4.1.0
V.R.M.F
| APAR|Remediation/First Fix
—|—|—
4.2.0| IT14769| Apply 4.2.0.4.iFix003, available in cumulative iFix013 on Fix Central
4.1.0| IT14769| Apply 4.1.0.4 iFix073, available in cumulative iFix075 on Fix Central
Fix adds two new initparms to the copy.parms record in initparm.cfg:
recv.file.open.perm=nnn, where nnn is an octal integer describing the desired default permissions for new files received. It’s the same as the value documented for the copy sysopt “permiss”.
recv.file.open.ovrd=x, where x is one of the following three values: ‘Y’ - Allow copy step sysopt “permiss” value to overriderecv.file.open.perm value when receiving a new file. This is the default.
‘N’ - Disallow copy step sysopt “permiss” value to override recv.file.open.perm value when receiving a new file.
‘P’ - Allow copy step sysopt “permiss” value to override recv.file.open.perm value when pnode is receiving a new file.
For IBM Sterling Connect:Direct for Unix versions 4.0.0 and older, IBM recommends upgrading to a fixed, supported version of the product.
None