PK39732: HTTP RESPONSE HEADER VALUES CONTAINING CRLFS MAY CAUSE UNEXPECTED BEHAVIOR

Fixes are available

6.0.2.25: WebSphere Application Server V6.0.2 Fix Pack 25 for AIX platforms
6.0.2.27: WebSphere Application Server V6.0.2 Fix Pack 27 for HP-UX platforms
6.0.2.27: WebSphere Application Server V6.0.2 Fix Pack 27 for OS/400 platform
6.0.2.27: WebSphere Application Server V6.0.2 Fix Pack 27 for Solaris
6.0.2.27: WebSphere Application Server V6.0.2 Fix Pack 27 for Windows platforms
6.0.2.27: WebSphere Application Server V6.0.2 Fix Pack 27 for AIX platforms
6.0.2.25: WebSphere Application Server V6.0.2 Fix Pack 25 for HP-UX platforms
6.0.2.23: WebSphere Application Server V6.0.2 Fix Pack 23 for HP-UX platforms
6.0.2.29: WebSphere Application Server V6.0.2 Fix Pack 29 for Solaris
6.0.2.23: WebSphere Application Server V6.0.2 Fix Pack 23 for OS/400 platform
6.0.2.23: WebSphere Application Server V6.0.2 Fix Pack 23 for AIX platforms
6.0.2.29: WebSphere Application Server V6.0.2 Fix Pack 29 for Linux platforms
6.0.2.21: WebSphere Application Server V6.0.2 Fix Pack 21 for Solaris platforms
PK39732; 6.0.2.17: HTTP response header values containing CRLFs errors
6.0.2.21: WebSphere Application Server V6.0.2 Fix Pack 21 for Windows platforms
6.0.2.21: WebSphere Application Server V6.0.2 Fix Pack 21 for AIX platforms
V6.0.2: Java SDK 1.4.2 SR11 Cumulative Fix for IBM WebSphere Application Server
6.0.2.29: WebSphere Application Server V6.0.2 Fix Pack 29 for Windows platforms
6.0.2.23: WebSphere Application Server V6.0.2 Fix Pack 23 for Solaris
6.0.2.23: WebSphere Application Server V6.0.2 Fix Pack 23 for Windows platforms
6.0.2.19: WebSphere Application Server V6.0.2 Fix Pack 19 for Solaris
6.0.2.21: WebSphere Application Server V6.0.2 Fix Pack 21 for HP-UX platforms
6.0.2.29: WebSphere Application Server V6.0.2 Fix Pack 29 for AIX platforms
6.0.2.27: WebSphere Application Server V6.0.2 Fix Pack 27 for Linux platforms
6.0.2.19: WebSphere Application Server V6.0.2 Fix Pack 19 for OS/400 platform
6.0.2.19: WebSphere Application Server V6.0.2 Fix Pack 19 for Windows platforms
6.0.2.19: WebSphere Application Server V6.0.2 Fix Pack 19 for HP-UX platforms
6.0.2.21: WebSphere Application Server V6.0.2 Fix Pack 21 for Linux platforms
6.0.2.19: WebSphere Application Server V6.0.2 Fix Pack 19 for AIX platforms
6.0.2.31: WebSphere Application Server V6.0.2 Fix Pack 31 for Windows platforms
V6.0.2: Java SDK 1.4.2 SR13 Cumulative Fix for IBM WebSphere Application Server
6.0.2.25: WebSphere Application Server V6.0.2 Fix Pack 25 for Linux platforms
6.0.2.25: WebSphere Application Server V6.0.2 Fix Pack 25 for Solaris
6.0.2.29: WebSphere Application Server V6.0.2 Fix Pack 29 for HP-UX platforms
6.0.2.25: WebSphere Application Server V6.0.2 Fix Pack 25 for Windows platforms
6.0.2.33: WebSphere Application Server V6.0.2 Fix Pack 33 for AIX platforms
6.0.2.19: WebSphere Application Server V6.0.2 Fix Pack 19 for Linux platforms
V6.0.2: Java SDK 1.4.2 SR11 Cumulative Fix for IBM WebSphere Application Server
6.0.2.31: WebSphere Application Server V6.0.2 Fix Pack 31 for Solaris
6.0.2.31: WebSphere Application Server V6.0.2 Fix Pack 31 for AIX platforms
6.0.2.31: WebSphere Application Server V6.0.2 Fix Pack 31 for HP-UX platforms
6.0.2.31: WebSphere Application Server V6.0.2 Fix Pack 31 for Linux platforms
6.0.2.31: WebSphere Application Server V6.0.2 Fix Pack 31 for OS/400 platform
6.0.2.33: WebSphere Application Server V6.0.2 Fix Pack 33 for Windows platforms
6.0.2.33: WebSphere Application Server V6.0.2 Fix Pack 33 for Linux platforms
6.0.2.33: WebSphere Application Server V6.0.2 Fix Pack 33 for HP-UX platforms
V6.0.2: Java SDK 1.4.2 SR12 Cumulative Fix for IBM WebSphere Application Server
6.0.2.33: WebSphere Application Server V6.0.2 Fix Pack 33 for Solaris
6.0.2.23: WebSphere Application Server V6.0.2 Fix Pack 23 for Linux platforms
6.0.2.35: WebSphere Application Server V6.0.2 Fix Pack 35 for HP-UX platforms
6.0.2.35: WebSphere Application Server V6.0.2 Fix Pack 35 for Linux platforms
6.0.2.35: WebSphere Application Server V6.0.2 Fix Pack 35 for AIX platforms
6.0.2.35: WebSphere Application Server V6.0.2 Fix Pack 35 for Solaris
6.0.2.35: WebSphere Application Server V6.0.2 Fix Pack 35 for Windows platforms
6.0.2.35: WebSphere Application Server V6.0.2 Fix Pack 35 for OS/400 platform
6.0.2.37: WebSphere Application Server V6.0.2 Fix Pack 37 for HP-UX platforms
6.0.2.37: WebSphere Application Server V6.0.2 Fix Pack 37 for AIX platforms
6.0.2.37: WebSphere Application Server V6.0.2 Fix Pack 37 for Solaris
6.0.2.37: WebSphere Application Server V6.0.2 Fix Pack 37 for Windows platforms
6.0.2.37:Java SDK 1.4.2 SR13 Cumulative Fix for IBM WebSphere Application Server
6.0.2.37: WebSphere Application Server V6.0.2 Fix Pack 37 for Linux platforms
6.0.2.39: WebSphere Application Server V6.0.2 Fix Pack 39 for HP-UX platforms
6.0.2.39: WebSphere Application Server V6.0.2 Fix Pack 39 for AIX platforms
6.0.2.39: WebSphere Application Server V6.0.2 Fix Pack 39 for Solaris
6.0.2.39: WebSphere Application Server V6.0.2 Fix Pack 39 for Windows platforms
6.0.2.39:Java SDK 1.4.2 SR13 FP2 Cumulative Fix for WebSphere Application Server
6.0.2.39: WebSphere Application Server V6.0.2 Fix Pack 39 for Linux platforms
6.0.2.41: WebSphere Application Server V6.0.2 Fix Pack 41 for HP-UX platforms
6.0.2.41: WebSphere Application Server V6.0.2 Fix Pack 41 for AIX platforms
6.0.2.41: WebSphere Application Server V6.0.2 Fix Pack 41 for Solaris
6.0.2.41: WebSphere Application Server V6.0.2 Fix Pack 41 for Windows platforms
6.0.2.41:Java SDK 1.4.2 SR13 FP4 Cumulative Fix for WebSphere Application Server
6.0.2.41: WebSphere Application Server V6.0.2 Fix Pack 41 for Linux platforms
6.0.2.43: WebSphere Application Server V6.0.2 Fix Pack 43 for OS/400 platform
6.0.2.43: WebSphere Application Server V6.0.2 Fix Pack 43 for HP-UX platforms
6.0.2.43: WebSphere Application Server V6.0.2 Fix Pack 43 for AIX
6.0.2.43: WebSphere Application Server V6.0.2 Fix Pack 43 for Solaris
6.0.2.43: WebSphere Application Server V6.0.2 Fix Pack 43 for Windows platforms
6.0.2.43:Java SDK 1.4.2 SR13 FP5 Cumulative Fix for WebSphere Application Server
6.0.2.43: WebSphere Application Server V6.0.2 Fix Pack 43 for Linux

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Problem:
    When a particular type of invalid IBM HTTP server header is
    used, it splits the response into two or more responses.
    
    WAS 6.0.2 will only check for and block a double CRLF in header
    values (protecting against an app trying to force the end of
    header blank line and bogus secondary response). It does not
    protect against a single CRLF.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: WebSphere Application Server version 6.0     *
    *                 users of the HTTP channel.                   *
    ****************************************************************
    * PROBLEM DESCRIPTION: The Application Server code does not    *
    *                      check for or stop an application from   *
    *                      sending a malformed HTTP response       *
    *                      header with a single CRLF inside it     *
    *                      (potentially splitting the response     *
    *                      message).                               *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    The HTTP code will currently check for double CRLFs, which
    would be invalid since it is a premature end-of-headers marker;
    however, it does not prevent users from adding one with a
    single CRLF inside it. The problem with that is the user can
    end up with unexpected and invalid extra headers because it
    can sit in the "first" header following the CRLF and is not
    checked or accounted for.
    

Problem conclusion

  • The code will now scan header names and values for the single
    CRLF and will not allow it, except in situations where the
    header value is a validly formed multiline header.
    
    This is targeted for fixpack 6.0.2.19. It is already included
    in version 6.1.0.0 and higher.
    Please refer to the recommended updates page for delivery
    information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PK39732

  • Reported component name

    WEBSPH APP SERV

  • Reported component ID

    5724J0800

  • Reported release

    60A

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2007-02-21

  • Closed date

    2007-03-20

  • Last modified date

    2007-04-05

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Modules/Macros

  • HTTPCHAN
    

Fix information

  • Fixed component name

    WEBSPH APP SERV

  • Fixed component ID

    5724J0800

Applicable component levels

  • R60A PSY

       UP

  • R60H PSY

       UP

  • R60I PSY

       UP

  • R60P PSY

       UP

  • R60S PSY

       UP

  • R60W PSY

       UP

  • R60Z PSY

       UP

  • R61A PSN

       UP

  • R61H PSN

       UP

  • R61I PSN

       UP

  • R61P PSN

       UP

  • R61S PSN

       UP

  • R61W PSN

       UP

  • R61Z PSN

       UP



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere Application Server
General

Software version:

6.0

Reference #:

PK39732

Modified date:

2007-04-05

Translate my page

Machine Translation

Content navigation