Date   

Notification - Security Vulnerability - Please Read

Mark.Ackert@...
 

Hello Zowe Users,


We were informed of a published vulnerability in NPM dependencies which affected Zowe CLI’s secure-credential-store during the time period of Nov 4th to Nov 5th. If you installed the plugin from npmjs.org during the vulnerable window of time via a direct command line install, you should follow the recommended resolution steps from the security advisory here: https://github.com/advisories/GHSA-g2q5-5433-rhrf. You are not affected if you downloaded the secure credential store plugin from zowe.org or a Zowe support conformant vendor (IBM or Broadcom). You are not affected if you downloaded from any source prior to Nov 4.


   The following component versions were affected:


@zowe/secure-credential-store-for-zowe-cli@zowe-v1-lts 

@zowe/secure-credential-store-for-zowe-cli@latest


If you issued one of these commands Nov 4 or Nov 5, you should follow the above resolution steps:


“zowe plugins install @zowe/secure-credential-store-for-zowe-cli@zowe-v1-lts”

“zowe plugins install @zowe/secure-credential-store-for-zowe-cli@latest”



Hello Zowe Developers,


We found additional Zowe components which the above vulnerability affects at development time, during the same time period of Nov 4th - Nov 5th. There was a second hijacked dependency, https://github.com/veged/coa/issues/99, which contained the same exploit.


Conditions for vulnerability:


  • Zowe API Mediation Layer, Frontend Catalog (path: api-catalog-ui/frontend)
    • If you issued an “npm install” for the first time in this directory Nov 4 or Nov 5, you may have been compromised.
    • If you deleted any existing “package-lock.json” and then issued “npm install” for the first time Nov 4 or Nov 5, you may have been compromised.
  • Zowe Desktop Sample React Application (path: webClient)
    • If you issued an “npm install” for the first time in this directory Nov 4 or Nov 5, you may have been compromised.
    • If you deleted any existing “package-lock.json” and then issued “npm install” for the first time Nov 4 or Nov 5, you may have been compromised.
  • Zowe CLI
    • If you deleted “package-lock.json” and then issued “npm install” for the first time Nov 4 or Nov 5, you may have been compromised.
  • Imperative 
    • If you deleted “package-lock.json” and then issued “npm install” for the first time Nov 4 or Nov 5, you may have been compromised.


Thank you


This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.


z/OS 2.5 Compatibility

John Mertic
 

Forwarding your note along to the zowe-user email list.

Thank you,

John Mertic
Director of Program Management - Linux Foundation
Academy Software Foundation, LF Energy, Magma, Open Mainframe Project, and SODA
Schedule a meeting with me at https://meetings.hubspot.com/jmertic


---------- Forwarded message ---------
From: THUMMALAPENTA, Padmapriya <Padmapriya.THUMMALAPENTA@...>
Date: Thu, Dec 9, 2021 at 5:31 AM
Subject: z/OS 2.5 Compatibility
To: info@... <info@...>


Hi,

 

We are running with ZOWE 1.13 and planning to upgrade from z/OS 2.3 to z/OS 2.5 please provide the compatibility details to move to z/OS 2.5.

 

Thank you.

 

 

Warm Regards
Padmapriya Thummalapenta
Mobile-+91 9980299552
Padmapriya.THUMMALAPENTA@...

 




This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its related entities "Suncorp".
Suncorp may be contacted at Level 28, 266 George Street, Brisbane or on 13 11 55 or at suncorp.com.au.
The content of this e-mail is the view of the sender or stated author and does not necessarily reflect the view of Suncorp. The content, including attachments, is a confidential communication between Suncorp and the intended recipient. If you are not the intended recipient, any use, interference with, disclosure or copying of this e-mail, including attachments, is unauthorised and expressly prohibited. If you have received this e-mail in error please contact the sender immediately and delete the e-mail and any attachments from your system.
 


Re: z/OS 2.5 Compatibility

Jack-Tiefeng Jia
 

Hi Padmapriya,
 
We did some test on v2.5 internally and here is what we found.
 
- We tested Zowe v1.23.0+ on z/OS v2.5 and we don’t see issues. We didn't go back to test Zowe v1.13.
- There was an issue related to Zowe playbooks running on z/OS 2.5 Fixpack 14. This issue doesn't exist with z/OS 2.5 Fixpack 6, and it disappeared on z/OS 2.5 Fixpack 18 on one of the system but still exist on another system. This failure does not affect Zowe runtime but only pipeline.
 
So I think it's worthy to try to bring up Zowe v1.13 on z/OS v2.5. Currently we don't expect failures. If you do see something unexpected, please feel free to contact us.
 
Thank you,
 
Jack (T.) Jia
Software Developer
IBM Z Management Software
IBM Systems

Phone: 1-905-413-3195
IBM

8200 Warden Ave
Markham, ON L6G 1C7
Canada
 
 

----- Original message -----
From: "John Mertic" <jmertic@...>
Sent by: zowe-user@...
To: zowe-user@...
Cc:
Subject: [EXTERNAL] [zowe-user] z/OS 2.5 Compatibility
Date: Thu, Dec 9, 2021 6:57 AM
 
Forwarding your note along to the zowe-user email list. Thank you, John Mertic Director of Program Management - Linux Foundation Academy Software Foundation, LF Energy, Magma, Open Mainframe Project, and SODA jmertic@... ‍ ‍ ‍ ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
ZjQcmQRYFpfptBannerEnd
Forwarding your note along to the zowe-user email list.
 
Thank you,
 
John Mertic
Director of Program Management - Linux Foundation
Academy Software Foundation, LF Energy, Magma, Open Mainframe Project, and SODA
Schedule a meeting with me at https://meetings.hubspot.com/jmertic
 
---------- Forwarded message ---------
From: THUMMALAPENTA, Padmapriya <Padmapriya.THUMMALAPENTA@...>
Date: Thu, Dec 9, 2021 at 5:31 AM
Subject: z/OS 2.5 Compatibility
To: info@... <info@...>
 

Hi,

 

We are running with ZOWE 1.13 and planning to upgrade from z/OS 2.3 to z/OS 2.5 please provide the compatibility details to move to z/OS 2.5.

 

Thank you.

 

 

Warm Regards
Padmapriya Thummalapenta
Mobile-+91 9980299552

Padmapriya.THUMMALAPENTA@...

 

 

This e-mail is sent by Suncorp Group Limited ABN 66 145 290 124 or one of its related entities "Suncorp".
Suncorp may be contacted at Level 28, 266 George Street, Brisbane or on 13 11 55 or at suncorp.com.au.
The content of this e-mail is the view of the sender or stated author and does not necessarily reflect the view of Suncorp. The content, including attachments, is a confidential communication between Suncorp and the intended recipient. If you are not the intended recipient, any use, interference with, disclosure or copying of this e-mail, including attachments, is unauthorised and expressly prohibited. If you have received this e-mail in error please contact the sender immediately and delete the e-mail and any attachments from your system.

 
 



test

John Mertic
 


Thank you,

John Mertic
Director of Program Management - Linux Foundation
Academy Software Foundation, LF Energy, and Open Mainframe Project
Schedule a meeting with me at https://meetings.hubspot.com/jmertic


*ZOWE V2 OFFICE HOURS* Notice for Zowe Consumers

Rose Sakach
 

When:
Wednesday, April 6th, 2022
12:00pm to 12:30pm
(UTC-05:00) Eastern Time - New York (EST)
Where:
https://zoom.us/j/94312528890
Description:
Zowe V2 API Mediation Layer Office Hours (for Users and Consumers):   (https://zoom.us/j/94312528890)

Please mark your calendars or reference the OMP / Zowe Calendar for Zowe V2 Office Hours:   https://lists.openmainframeproject.org/g/zowe-dev/calendar

The Zowe Onboarding Squad is offering a series of Zowe V2 Office Hours, every Wednesday at 12pm ET throughout the month of April.  These webinars will focus on Zowe V2 from a User perspective.  Each session will cover a different Zowe component and will include:  
  • General overview of what's new with the featured component
  • Installation & configuration changes for V2
  • V1 upgrade considerations
  • The V2 user experience
  • New feature details
Please consider attending our first session focused on API Mediation Layer.  We look forward to your participation!

Did you miss an Office Hours Session?  Find prior session recordings and view the schedule here:  https://www.zowe.org/vnext#office-hours


Best Regards, 
The Zowe Onboarding Squad
Jakub Balhar
Michael DuBois
Jan Prihoda
Rose Sakach
Joe Winchester

This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.


*ZOWE V2 OFFICE HOURS* Notice for Zowe Consumers

Rose Sakach
 

When:
Wednesday, April 13th, 2022
12:00pm to 12:30pm
(UTC-05:00) Eastern Time - New York (EST)
Where:
https://zoom.us/j/94312528890
Description:
Zowe V2 CLI Office Hours (for Users and Consumers):   (https://zoom.us/j/94312528890)

Please mark your calendars or reference the OMP / Zowe Calendar for Zowe V2 Office Hours:   https://lists.openmainframeproject.org/g/zowe-dev/calendar

The Zowe Onboarding Squad is offering a series of Zowe V2 Office Hours, every Wednesday at 12pm ET throughout the month of April.  These webinars will focus on Zowe V2 from a User perspective.  Each session will cover a different Zowe component and will include:  
  • General overview of what's new with the featured component
  • Installation & configuration changes for V2
  • V1 upgrade considerations
  • The V2 user experience
  • New feature details
Please consider attending this upcoming session focused on Zowe CLI (Command Line Interface).  We look forward to your participation!

Did you miss an Office Hours Session?  Find prior session recordings and view the schedule here:  https://www.zowe.org/vnext#office-hours

Best Regards, 
The Zowe Onboarding Squad
Jakub Balhar
Michael DuBois
Jan Prihoda
Rose Sakach
Joe Winchester

This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.


*Zowe V2 OFFICE HOURS* Notice for Zowe Consumers

Rose Sakach
 

When:
Wednesday, April 20th, 2022
12:00pm to 12:30pm
(UTC-05:00) Eastern Time - New York (EST)
Where:
https://zoom.us/j/94312528890
Description:
Zowe V2 Explorer Office Hours (for Users and Consumers):   (https://zoom.us/j/94312528890)

Please mark your calendars or reference the OMP / Zowe Calendar for Zowe V2 Office Hours:   https://lists.openmainframeproject.org/g/zowe-dev/calendar

The Zowe Onboarding Squad is offering a series of Zowe V2 Office Hours, every Wednesday at 12pm ET throughout the month of April.  These webinars will focus on Zowe V2 from a User perspective.  Each session will cover a different Zowe component and will include:  
  • General overview of what's new with the featured component
  • Installation & configuration changes for V2
  • V1 upgrade considerations
  • The V2 user experience
  • New feature details
Please consider attending this upcoming session focused on Zowe Explorer (VS Code Extension).  We look forward to your participation!

Did you miss an Office Hours Session?  Find prior session recordings and view the schedule here:  https://www.zowe.org/vnext#office-hours

Best Regards, 
The Zowe Onboarding Squad
Jakub Balhar
Michael DuBois
Jan Prihoda
Rose Sakach
Joe Winchester

This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.


REMINDER *Zowe V2 OFFICE HOURS* Notice for Zowe Consumers

Rose Sakach
 

When:
TODAY!  Wednesday, April 27th, 2022
12:00pm to 12:30pm
(UTC-05:00) Eastern Time - New York (EST)
Where:
https://zoom.us/j/94312528890
Description:
Zowe V2: Web UI Office Hours (for Users and Consumers):   (https://zoom.us/j/94312528890)

Please mark your calendars or reference the OMP / Zowe Calendar for Zowe V2 Office Hours:   https://lists.openmainframeproject.org/g/zowe-dev/calendar

The Zowe Onboarding Squad is offering a series of Zowe V2 Office Hours, every Wednesday at 12pm ET throughout the month of April.  These webinars will focus on Zowe V2 from a User perspective.  Each session will cover a different Zowe component and will include:  
  • General overview of what's new with the featured component
  • Installation & configuration changes for V2
  • V1 upgrade considerations
  • The V2 user experience
  • New feature details
Please consider attending this upcoming session focused on Zowe Web UI / Zowe Desktop / App Framework.  We look forward to your participation!

Did you miss an Office Hours Session?  Find prior session recordings and view the schedule here:  https://www.zowe.org/vnext#office-hours

Best Regards, 
The Zowe Onboarding Squad
Jakub Balhar
Michael DuBois
Jan Prihoda
Rose Sakach
Joe Winchester

This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.

81 - 88 of 88