CVE-2016-0359

Name of the Vulnerable Software and Affected Versions IBM WebSphere Application Server versions 7.0 through 7.0.0.42 IBM WebSphere Application Server versions 8.0 through 8.0.0.12 IBM WebSphere Application Server 8.5 Full versions prior to 8.5.5.10 IBM WebSphere Application Server 8.5 Liberty versions prior to Liberty Fix Pack 16.0.0.2

Description The issue allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL. This is due to the server's failure to neutralize CRLF sequences, which can be exploited by a remote attacker to inject arbitrary HTTP headers using a specially crafted URL.

Recommendations For IBM WebSphere Application Server versions 7.0 through 7.0.0.42, update to version 7.0.0.43 or later. For IBM WebSphere Application Server versions 8.0 through 8.0.0.12, update to version 8.0.0.13 or later. For IBM WebSphere Application Server 8.5 Full versions prior to 8.5.5.10, update to version 8.5.5.10 or later. For IBM WebSphere Application Server 8.5 Liberty versions prior to Liberty Fix Pack 16.0.0.2, update to Liberty Fix Pack 16.0.0.2 or later.