CVE-2016-2923

Name of the Vulnerable Software and Affected Versions IBM WebSphere Application Server (WAS) versions 8.5 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2

Description The issue is related to the absence of the HTTPOnly flag in a Set-Cookie header for an unspecified JAX-RS API cookie. This makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. The vulnerability can be exploited by a remote attacker to gain access to protected information using a script to access the cookie file.

Recommendations For IBM WebSphere Application Server (WAS) versions 8.5 through 8.5.5.9 Liberty before Liberty Fix Pack 16.0.0.2, update to Liberty Fix Pack 16.0.0.2 or later to include the HTTPOnly flag in the Set-Cookie header. As a temporary workaround, consider restricting access to the JAX-RS API to minimize the risk of exploitation.