Security Bulletin: IBM Cúram Universal Access is vulnerable to CRLF Injection attack when not deployed on IBM WebSphere. (CVE-2014-4803)

Summary

The Universal Access component of IBM Cúram Social Program Management, when not deployed on IBM WebSphere Application Server, is vulnerable to CRLF Injection attack; this is caused by improper sanitization/escaping of a parameter on one page.

Vulnerability Details

CVEID: CVE-2014-4803

A remote attacker could inject CRLF combinations into HTTP headers (HTTP Response Splitting) via parameters on one page. This may lead to attacks in the form of cross site scripting, cross-user defacement or web cache poisoning.

CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95305&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Affected Products and Versions

The Curam product is affected in versions:

6.0 SP2

6.0.4
6.0.5

Remediation/Fixes

Product

| VRMF | Remediation/First Fix
—|—|—
Cúram SPM | 6.0 SP2 | Visit IBM Fix Central and upgrade to 6.0 SP2 EP26 or a later interim fix level.
Cúram SPM | 6.0.4 | Visit IBM Fix Central and upgrade to 6.0.4.5 iFix007 or a later interim fix level.
Cúram SPM | 6.0.5 | Visit IBM Fix Central and upgrade to 6.0.5.5 iFix 003 or a later interim fix level.

Workarounds and Mitigations

None