Security Bulletin: HTTP response splitting vulnerability in IBM WebSphere Application Server affect IBM Tivoli Netcool Configuration Manager (ITNCM) (CVE-2016-0359)

Summary

There is a potential HTTP response splitting vulnerability in IBM WebSphere Application Server, that is used by IBM Tivoli Netcool Configuration Manager (ITNCM). These issues were disclosed as part of the Security Bulletin: HTTP Response Splitting in WebSphere Application Server (CVE-2016-0359).

Vulnerability Details

CVEID: CVE-2016-0359**
DESCRIPTION:** IBM WebSphere Application Server is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111929 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

This vulnerability affects the following versions and releases of IBM WebSphere Application Server

· Version 8.5.5 Full Profile and Liberty

· Version 8.5 Full Profile and Liberty
· Version 8.0
· Version 7.0

Included in the following releases:

ITNCM 6.3.0.6 and earlier

ITNCM 6.4.1.4 and earlier
ITNCM 6.4.2.2 and earlier

Remediation/Fixes

<Product

| VRMF| APAR| Remediation/First Fix
—|—|—|—
ITNCM| 6.4.2.2| none| Install _Websphere 8.0.0.13 (24 Oct 2016) _
ITNCM| 6.4.1.4| none| _Install __6.4.1.4-TIV-ITNCM-IF002 __ _
_Which includes eWAS interim fix PI58918 _
ITNCM| 6.3.0.6| none| _Install _6.3.0.6-TIV-ITNCM-IF006
_Which includes eWAS interim fix PI58918 _