Security Bulletin: A security vulnerability in IBM WebSphere Application Server affects IBM Security Access Manager for Web (CVE-2015-2017)

Summary

IBM Security Access Manager for Web is affected by a HTTP response splitting vulnerability in IBM WebSphere Application Server.

Vulnerability Details

CVEID: CVE-2015-2017**
DESCRIPTION:** The IBM WebSphere Portal is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103991 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM Security Access Manager for Web 8.0, all firmware versions

IBM Security Access Manager for Web 9.0, all firmware versions

Remediation/Fixes

The table below provides links to patches for all affected versions. Follow the installation instructions in the README file included with the patch.

IBM Security Access Manager| 9.0| IV84702| Upgrade to 9.0.1.0:
IBM Security Access Manager V9.0.1 Multiplatform, Multilingual (CRW4EML)