Security Bulletin: varying error codes allows detection of existing systems behind firewall

Summary

A security vulnerability related to content handler URLs makes it possible to check if a system exists (for example, behind a firewall). A different error code is returned for
a) systems that exist but are not accessible via the proxy functionality versus
b) systems that do not exist.

Affected Products and Versions

WebSphere Service Registry and Repository versions 7, 7.5, 8.0, 8.5

Remediation/Fixes

Fixes are available for each version of WebSphere Service Registry and Repository. For versions 7.0, 7.5 and 8.0 the fixes are available from Business Space, while 8.5 requires a WSRR fix.

7.0: http://www-933.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FWebSphere%2FWebSphere+Business+Monitor&fixids=7.0.0.5-WS-BSPACE-IFJR51177&source=dbluesearch&function=fixId&parent=ibm/WebSphere

7.5: http://www-933.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FWebSphere%2FIBM+Business+Process+Manager+Standard&fixids=7.5.1.2-WS-BSPACE-IFJR51177&source=dbluesearch&function=fixId&parent=ibm/WebSphere

8.0: http://www-933.ibm.com/support/fixcentral/swg/selectFix?product=ibm%2FWebSphere%2FIBM+Business+Monitor&fixids=8.0.0.0-WS-BSPACE-IFJR51177&source=dbluesearch&function=fixId&parent=ibm/WebSphere

8.5: The fix will be included in the next WSRR 8.5 fix pack. Contact WSRR support if you wish to receive an earlier iFix.

**CVE ID:**CVE-2014-4746

CVSS

CVSS Base Score: 5.0
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/94348&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)