Security Bulletin: IBM WebSphere Application Server Liberty Profile vulnerability affects IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2016-0359)

Summary

WebSphere Application Server Liberty Profile that is embedded in TADDM is potentially vulnerable to HTTP response splitting

Vulnerability Details

CVEID: CVE-2016-0359**
DESCRIPTION:** IBM WebSphere Application Server is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111929 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected Products and Versions

TADDM 7.3.0.1-7.3.0.3

Remediation/Fixes

There is an eFix prepared on top of TADDM 7.3.0 FixPack 3

Fix

|

VRMF

|

APAR

|

How to acquire fix

—|—|—|—
efix_wlp8558_P161939_FP320160323.zip| 7.3.0.3
(also applicable to 7.3.0.1-2)| None| Download eFix

Please get familiar with eFix readme in etc/<efix_name>_readme.txt
Note that the eFix requires manual deletion of the external/wlp directory.

Workarounds and Mitigations

The solution is to patch the WebSphere Application Server Liberty Profile 8.5.5.8 with Websphere patch PI61936 .
If you need an eFix for other TADDM version, please contact IBM Support. Open a PMR for a custom version of this eFix. Include your current eFix level, TADDM version, and a link to this bulletin.