Security Bulletin: IBM Cúram Universal Access V6.0.5.5 can be vulnerable to CRLF Injection attack (CVE-2014-3069)

Summary

IBM Cúram Universal Access is vulnerable to CRLF Injection attack when not deployed on IBM WebSphere.

Vulnerability Details

CVE ID:CVE-2014-3069__ __

DESCRIPTION:
The Universal Access component of IBM Cúram Social Program Management, when not deployed on IBM WebSphere Application Server, is vulnerable to CRLF Injection attack caused by improper sanitization of the user supplied code that is output into an http response header field. A remote attacker could inject CRLF combinations into HTTP headers in the custom JSPs using multiple unspecified parameters, which will allow the attacker to take control of a user’s session/credentials or in some cases to prepare and make the web application more amenable to future attacks. These come in many forms including cross site scripting and HTTP Response Splitting.

CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/94839 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Affected Products and Versions

Cúram Social Program Management – Universal Access

All products are affected when running code release 6.0.5.5.

Remediation/Fixes

Product

| VRMF | Remediation/First Fix
—|—|—
Cúram SPM | 6.0.5.5 | Visit IBM Fix Central and upgrade to iFix 1 which is available from this direct link (opens in a new window).

Workarounds and Mitigations

None