Saturday, 2 August 2014

Security Bulletin: Unauthorized disclosure of system information in IBM Business Process Manager (BPM) 8.5.x (CVE-2014-3076)

From the Security Bulletin: -


...
Summary

System information is provided on an unprotected diagnostic page.

Vulnerability Details

CVEID: CVE-2014-3076

DESCRIPTION: 

IBM Business Process Manager 8.5 contains an unprotected JavaServer™ Pages (JSP) file that returns system information to unauthenticated users. An attacker might use this information to aid in further attacks against the system.

Affected Products and Versions

• IBM Business Process Manager Standard
• IBM Business Process Manager Express
• IBM Business Process Manager Advanced

Software version:

8.5, 8.5.0.1, 8.5.5

Remediation/Fixes

Install IBM Business Process Manager interim fix JR50760 as appropriate for your current IBM Business Process Manager version.

• IBM Business Process Manager Standard
• IBM Business Process Manager Express
• IBM Business Process Manager Advanced
...


Also: -


...
With My Notifications you can receive daily or weekly announcements through e-mail, custom Web pages and RSS feeds. These customizable communications can contain important news, new or updated support content, such as publications, hints and tips, technical notes, product flashes (alerts) and downloads and drivers. The tool allows you to customize and categorize the products you want to monitor and any of the available delivery methods to suit your support needs.
...

No comments: