USERS AFFECTED:
WebSphere Application Server must prevent response splitting attack.
PROBLEM DESCRIPTION:
When a particular type of invalid HTTP header is used, it splits the
response into two or more responses. Clients who receive such responses
can be mislead or redirected to a malicious site, and thus expose client
information to the malicious server. The fix to resolve this vulnerability
blocks the invalid HTTP headers so that HTTP response splitting cannot
occur. In case such an invalid header is sent, IllegalArgumentException
will be thrown that triggers a 500 server error. The error is also logged
into FFDC, as well as SystemErr.log.
RECOMMENDATION:
This Fix ensures HTTP header name and value does not allow certain
sequences to exploit this vulnerability. Attempts to do so will result in
an IllegalArgumentException, and the error will be logged in error
log.
Prerequisites
NONE
Installation Instructions
Please review the readme.txt for detailed installation
instructions.