Possible security exposure with some versions of IBM WebSphere Application Server when using invalid http headers resulting in response splitting vulnerability (PQ91361 and PQ90505)
 Technote (troubleshooting)
 
Problem(Abstract)
When a particular type of invalid IBM® HTTP server header is used, it splits the response into two or more responses. Clients who receive such responses can be misled or redirected to a malicious site, and thus expose client information to a possible malicious server.
 
Cause
The way these types of HTTP headers are currently handled exposes a potential security risk.
When a particular type of invalid HTTP header is used, it splits the response into two or more responses. Clients who receive such responses can be mislead or redirected to a malicious site, and thus expose client information to a possible malicious server. The fix to resolve this vulnerability blocks the invalid HTTP headers so that HTTP response splitting cannot occur. In case such an invalid header is sent, IllegalArgumentException will be thrown that triggers a 500 server error. The error is logged in FFDC, as well as SystemErr.log.

Versions Affected
This potential vulnerability is found in all versions and editions of IBM® WebSphere® Application Server (for example, V4.0 Advanced and Single Server Editions and V5.0 Express, Base, Enterprise, and Network Deployment Editions).

If you are running an earlier release of the product than those listed below, upgrade to a supported level of the product before applying the fix.

The fix for this exposure will be incorporated into future releases of IBM WebSphere Application Server. Updates for existing releases will be provided through fix packs or cumulative fixes, when available."
 
Resolving the problem
If you are running an earlier release of the product than those listed below, upgrade to a supported level of the product before applying the fix. Cumulative fixes and fix packs can be obtained at the WebSphere Application Server support site.
To resolve this issue, select the applicable version, then download and apply the APAR fix or cumulative fix:
  • Versions 4.0.7 or later through interim fix APAR PQ91361
  • Versions 5.0.2.3 or later through interim fix APAR PQ90505
  • Versions 5.1.0.2 or later through interim fix APAR PQ90505
  • Versions 5.1.1 or later through interim fix APAR PQ90505
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s): Windows
Software version: 5.1.1
Software edition:
Reference #: 1176300
IBM Group: Software Group
Modified date: Aug 16, 2004