Security Bulletin: OpenSource Apache Tomcat Vulnerability affects IBM Algorithmics Counterparty Credit Risk

Summary

Apache Tomcat is vulnerable to HTTP response splitting attacks, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information.

Vulnerability Details

CVE-ID: CVE-2016-6816
Description: Apache Tomcat is vulnerable to HTTP response splitting attacks, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information.
CVSS Base Score: 6.100
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/119158 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Algo One Versions 5.0.0 through 5.1.0

Remediation/Fixes

Patch Number

| Download URL
—|—
Algo One 510-152| http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.1.0.0-Algo-One-RTCE-RHEL-if0152:0&includeSupersedes=0&source=fc&login=true
Algo One 500-350| http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.0.0.0-Algo-One-RTCE-RHEL-if0350:0&includeSupersedes=0&source=fc&login=true