Security Bulletin: HTTP response splitting attack in FastBack for Workstations Central Administration Console (CVE-2016-0359)

Summary

There is a vulnerability in FastBack for Workstations Central Administration Console in the underlying IBM WebSphere Application Server that could allow HTTP response splitting attacks.

Vulnerability Details

CVEID: CVE-2016-0359**
DESCRIPTION:** IBM WebSphere Application Server is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111929 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

FastBack for Workstations Central Administration Console v7.1 and v6.3

Remediation/Fixes

Product

| VRMF| First Fixing VRMF level| APAR| Link to Fix / Fix Availability Target
—|—|—|—|—

FastBack for Workstations Central Administration Console

| 7.1| 7.1.4.3

| None

| Windows x64:
[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Storage+Manager+FastBack+for+Workstations&fixids=7.1.4.3-TIV-FB4WKSTNS-CAC-x64_windows&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Storage+Manager+FastBack+for+Workstations&fixids=7.1.4.3-TIV-FB4WKSTNS-CAC-x64_windows&source=SAR>)``
Windows x86:``[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Storage+Manager+FastBack+for+Workstations&fixids=7.1.4.3-TIV-FB4WKSTNS-CAC-x86_windows&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FTivoli%2FTivoli+Storage+Manager+FastBack+for+Workstations&fixids=7.1.4.3-TIV-FB4WKSTNS-CAC-x86_windows&source=SAR>)

FastBack for Workstation Central Administraion Console 6.3:

The fix for CAC 6.3 will be to apply the WAS interim fix pack PI58918 to the version of WAS included with the Tivoli Integrated Portal. In order to obtain the PI58918 fix refer to the WAS security bulletin:<http://www-01.ibm.com/support/docview.wss?uid=swg21982526&gt; click on the link for v7.0.0.0 through v7.0.0.41 interim fix pack PI58918. Click the HTTPS download link for 7.0.0.39-WS-WAS-IFPI58918. There will be a Readme.txt file and a 7.0.0.39-ws-was-ifpi58918.pak file
1. If not already at the CAC 6.3.1.1 version upgrade to this version.
2. Stop the Tivoli Service: Tivoli Intergrated Portal - V2.2_TIPProfile_Port_16310
3. Using the Update Installer application (update.exe) found in the Tivoli Intergrated Portal installation directory
(default location: C:\IBM\Tivoli\Tipv2_fbws\WebSphereUpdateInstallerV7) apply the .pak file downloaded earlier
4. Restart the Tivoli Service or reboot the machine