SB2016062401 - HTTP response splitting in IBM WebSphere Application Server
Published: June 24, 2016
Security Bulletin ID
SB2016062401
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) HTTP response splitting attacks (CVE-ID: CVE-2016-0359)
The vulnerability allows a remote attacker to conduct HTTP response splitting attacks.The vulnerability exists due to input validation error when parsing HTTP requests. A remote unauthenticated attacker can display arbitrary content by submiting a specially crafted URL to cause the target server to return a split response.
Successful exploitation of this vulnerability may allow an attacker to poison cache of any intermediate proxy server and display arbitrary content in victim's browser. The attacker might be able to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.