IBM Support

PI60898: WebSphere eXtreme Scale is subject to HTTP response splitting attacks.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • WebSphere eXtreme Scale is subject to HTTP response splitting
    attacks.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  Users of IBM WebSphere eXtreme Scale        *
    *                  V7.1.0                                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: A vulnerability in IBM                  *
    *                      WebSphere eXtreme Scale Client could    *
    *                      expose sensitive information.           *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    CVEID: CVE-2016-0400
    DESCRIPTION: IBM WebSphere Extreme Scale is vulnerable to HTTP
    response splitting attacks, caused by improper validation of
    user-supplied input when processing malicious requests. A
    remote
    attacker could exploit this vulnerability to inject arbitrary
    HTTP headers containing unicode charactesr and cause the server
    to return a split response, once the URL is clicked. This would
    allow the attacker to perform further attacks, such as Web
    cache
    poisoning or cross-site scripting, and possibly obtain
    sensitive
    information.
    CVSS Base Score: 6.1
    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/112655 for
    the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
    

Problem conclusion

Temporary fix

Comments

APAR Information

  • APAR number

    PI60898

  • Reported component name

    XD EXTREME SCAL

  • Reported component ID

    5724J3402

  • Reported release

    710

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-04-15

  • Closed date

    2016-08-02

  • Last modified date

    2018-08-20

  • APAR is sysrouted FROM one or more of the following:

    PI60897

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    XD EXTREME SCAL

  • Fixed component ID

    5724J3402

Applicable component levels



Document information

More support for: WebSphere eXtreme Scale
General

Software version: 710

Reference #: PI60898

Modified date: 20 August 2018