|
Problem(Abstract) |
When a particular type of invalid IBM® HTTP server header
is used, it splits the response into two or more responses. Clients who
receive such responses can be misled or redirected to a malicious site,
and thus expose client information to a possible malicious server. |
|
|
|
Cause |
The way these types of HTTP headers are currently handled
exposes a potential security risk.
When a particular type of invalid HTTP header is used, it splits the
response into two or more responses. Clients who receive such responses
can be mislead or redirected to a malicious site, and thus expose client
information to a possible malicious server. The fix to resolve this
vulnerability blocks the invalid HTTP headers so that HTTP response
splitting cannot occur. In case such an invalid header is sent,
IllegalArgumentException will be thrown that triggers a 500 server error.
The error is logged in FFDC, as well as SystemErr.log.
Versions Affected
This potential vulnerability is found in all versions and editions of
IBM® WebSphere® Application Server (for example, V4.0 Advanced and Single
Server Editions and V5.0 Express, Base, Enterprise, and Network Deployment
Editions).
If you are running an earlier release of the product than those listed
below, upgrade to a supported level of the product before applying the
fix.
The fix for this exposure will be incorporated into future releases of
IBM WebSphere Application Server. Updates for existing releases will be
provided through fix packs or cumulative fixes, when available." |
|
|
Resolving the
problem |
If you are running an earlier release of the product than
those listed below, upgrade to a supported level of the product before
applying the fix. Cumulative fixes and fix packs can be obtained at the WebSphere Application Server support site.
To resolve this issue, select the applicable version, then download and
apply the APAR fix or cumulative fix:
- Versions 4.0.7 or later through interim fix APAR PQ91361
- Versions 5.0.2.3 or later through interim fix APAR PQ90505
- Versions 5.1.0.2 or later through interim fix APAR PQ90505
- Versions 5.1.1 or later through interim fix APAR PQ90505
|
|
|
|
|
Cross Reference information |
Segment |
Product |
Component |
Platform |
Version |
Edition |
Application Servers |
Runtimes for Java Technology |
Java SDK |
|
|
|
|
|
|