PQ90505, 5.1.0.5: HTTP response splitting security vulnerability
 Downloadable files
 
Abstract
Security vulnerability in IBM® WebSphere® Application Server during IBM HTTP Server response splitting.
 
Download Description
PQ90505 resolves the following problem:

PROBLEM DESCRIPTION:
When a particular type of invalid HTTP header is used, it splits the response into two or more responses. Clients who receive such responses can be mislead or redirected to a malicious site, and thus expose client information to the malicious server. The fix to resolve this vulnerability blocks the invalid HTTP headers so that HTTP response splitting cannot occur. In case such an invalid header is sent, IllegalArgumentException will be thrown that triggers a 500 server error. The error is also logged into FFDC, as well as SystemErr.log.

RECOMMENDATION:
This fix ensures HTTP header name and value does not allow certain sequences to exploit this vulnerability. Attempts to do so will result in an IllegalArgumentException, and the error will be logged in error log.

NOTE:
PQ90505_fix.502.jar is for 5.0.2.6, 5.0.2.5 ,5.0.2.4, 5.0.2.3
PQ90505_fix.51.jar is if for 5.1.1, 5.1.0.5,5.1.0.4, 5.1.0.3, 5.1.0.2

USERS AFFECTED:
WebSphere Application Server must prevent response splitting attack.
 
Prerequisites
Please download the UpdateInstaller below to install this fix.
 
URL LANGUAGE SIZE(Bytes)
V5.0 UpdateInstaller US English 7250000
V5.1 UpdateInstaller US English 7250000
 
 
Installation Instructions
Please review the readme.txt for detailed installation instructions.
 
URL LANGUAGE SIZE(Bytes)
Readme US English 2333
 
Download package
What is DD?
Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
PQ90505_fix.502 7/14/2004 US English 12410 FTP DD
PQ90505_fix.51 7/14/2004 US English 12623 FTP DD
 
Technical support
1-800-IBM-SERV (U.S. Only)
 
Problems (APARS) fixed
PQ90505
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Servlet Engine/Web Container
Operating system(s): Windows
Software version: 5.1.1
Software edition:
Reference #: 4007467
IBM Group: Software Group
Modified date: Nov 10, 2004