Fix (APAR):  PQ90505

Status:  Fix

Release:  5.1.1,5.1.0.5,5.1.0.4,5.1.0.3,5.1.0.2,5.0.2.6,5.0.2.5,5.0.2.4,5.0.2.3

Operating System:  All

Supersedes Fixes:  

CMVC Defect:  SECINT211013

Byte size of APAR:  25033

Date: 2004-07-12

Abstract:  HTTP response splitting security vulnerability

Description/symptom of problem:  HTTP response splitting documented at http://www.sanctuminc.com/pdf/whitepaper_httpresponse.pdf (author: Amit Klein, Director of Security and Research, Sanctum, Inc.) pointed out that an invalid http header might split a response to two http responses. The second response can mislead clients and/or cause security exposure.
This APAR fix blocks invalid HTTP header to prevent http response splitting attacks.
Please refer to the document cited above for more detail.




Directions to apply fix:  

NOTE:  YOU MUST FIRST DOWNLOAD THE UPDATE INSTALLER TOOL IN ORDER TO INSTALL A FIX.
       The Fix Installer can be downloaded from the following link:
       http://www-3.ibm.com/software/webservers/appserv/support/index.html


1) Create temporary "fix" directory to store the jar file:
             UNIX: /tmp/WebSphere/fix
          Windows: c:\temp\WebSphere\fix

2) Copy the jar file for the release to the directory

NOTE: PQ90505_fix.502.jar is for 5.0.2.6,5.0.2.5,5.0.2.4,5.0.2.3
      PQ90505_fix.51.jar if for 5.1.1,5.1.0.5,5.1.0.4,5.1.0.3,5.1.0.2

3) Shutdown WebSphere

4) Follow the Fix installation instructions that are packaged with the Fix Installer on how to install the Fix.

5) Restart WebSphere

6) The temp directory may be removed.


Directions to remove fix:  
NOTE:  FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED.  DO NOT REMOVE A FIX UNLESS
     ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED.  YOU MAY REAPPLY ANY REMOVED FIX.

Example:  If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be
          removed, fix3 must be removed first, fix2 removed, and fix3 re-applied.


1) Shutdown WebSphere

2) Follow the instructions that are packaged with the Fix Installer on how to uninstall the Fix.

3) Restart WebSphere




Directions to re-apply fix:  
1) Shutdown WebSphere

2) Follow the Fix instructions that are packaged with the Fix Installer on how to uninstall and reinstall the Fix.

3) Restart WebSphere



Additional Information: