IBM Support

PI60897: WebSphere eXtreme Scale is subject to HTTP response splitting attacks.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • WebSphere eXtreme Scale is subject to HTTP response splitting
    attacks.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  Users of WebSphere eXtreme Scale V7.1.1,    *
    *                  V8.5, & V8.6.0                              *
    ****************************************************************
    * PROBLEM DESCRIPTION: A vulnerability in IBM                  *
    *                      WebSphere eXtreme Scale Client could    *
    *                      expose sensitive information.           *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    CVEID: CVE-2016-0400
    DESCRIPTION: IBM WebSphere Extreme Scale is vulnerable to HTTP
    response splitting attacks, caused by improper validation of
    user-supplied input when processing malicious requests. A
    remote
    attacker could exploit this vulnerability to inject arbitrary
    HTTP headers containing unicode charactesr and cause the server
    to return a split response, once the URL is clicked. This would
    allow the attacker to perform further attacks, such as Web
    cache
    poisoning or cross-site scripting, and possibly obtain
    sensitive
    information.
    CVSS Base Score: 6.1
    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/112655 for
    the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
    

Problem conclusion

Temporary fix

Comments

APAR Information

  • APAR number

    PI60897

  • Reported component name

    WS EXTREME SCAL

  • Reported component ID

    5724X6702

  • Reported release

    860

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-04-15

  • Closed date

    2016-07-25

  • Last modified date

    2016-08-30

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    PI60898 PI64191

Fix information

  • Fixed component name

    WS EXTREME SCAL

  • Fixed component ID

    5724X6702

Applicable component levels

  • R711 PSY

       UP

  • R850 PSY

       UP

  • R860 PSY

       UP



Document information

More support for: WebSphere eXtreme Scale

Software version: 860

Reference #: PI60897

Modified date: 30 August 2016