193 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
SNOUG 2017 Presentation – SikaConnect goes External
Thu, Mar 23rd 2017 6
Whiteboard in IBM Sametime Meeting 9.0.1 removed
Fri, Mar 17th 2017 7
Wikis content not accessible…
Thu, Jan 26th 2017 9
Automatic WebSphere plugin modification II – PowerShell for Windows
Thu, Dec 1st 2016 8
IBM Connections Docs – file preview not possible for some CCM pdf files
Thu, Nov 17th 2016 7
IBM Connections 5.5 CR2 released
Thu, Nov 10th 2016 11
IBM Connections – How to switch to a custom global unique ID for users
Mon, Nov 7th 2016 10
Top 10
DB2 Instance autostart does not work on SLES 12 / RHEL 7
Tue, Jul 12th 2016 14
Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)
Tue, Sep 13th 2016 12
IBM Connections 5.5 CR2 released
Thu, Nov 10th 2016 11
SAML – Enterprise SSO in the WebSphere world
Mon, Jul 20th 2015 10
IBM Connections – How to switch to a custom global unique ID for users
Mon, Nov 7th 2016 10
IBM Connections (SDI aka TDI) – Synchronize users based on group membership
Tue, Feb 3rd 2015 9
IBM Connections 5 CR3 released
Tue, Jul 21st 2015 9
IBM Open Batch program – IBM Champion
Tue, Mar 22nd 2016 9
WebSphere Portal – Change WCM AD Group permissions using memberFixer
Fri, Apr 8th 2016 9
Wikis content not accessible…
Thu, Jan 26th 2017 9


Security Bulletin: HTTP Response Splitting in WebSphere Application Server (CVE-2016-0359)
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
Elke Hildebrandt    

Classification

Score of 6.1 is moderat! Affects IBM WebSphere Application Server (IBM Portal and Connections)! If you need assistance please contact us (support@gis-ag.com) for further procedure.

Link to IBM site

Content:

  1. Summary
  2. Vulnerability Details
  3. Affected Products and Versions
  4. Remediation/Fixes

Summary

There is a potential HTTP response splitting vulnerability in IBM WebSphere Application Server.

Vulnerability Details

CVEID: CVE-2016-0359
DESCRIPTION:
IBM WebSphere Application Server is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111929 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

This vulnerability affects the following versions and releases of IBM WebSphere Application Server

  • Version 8.5.5 Full Profile and Liberty
  • Version 8.5 Full Profile and Liberty
  • Version 8.0
  • Version 7.0

Remediation/Fixes

The recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR PI58918 for each named product as soon as practical.

For WebSphere Application Server:
For V8.5.0.0 through 8.5.5.9 Liberty:

· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI58918
–OR–
· Apply Liberty Fix Pack 16.0.0.2 or later (targeted availability 24 June 2016).

For V8.5.0.0 through 8.5.5.9 Full Profile:

· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI58918
–OR–
· Apply Fix Pack 8.5.5.10 or later (targeted availability 15 August 2016).

For V8.0.0.0 through 8.0.0.12:
· Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix PI58918

–OR–
· Apply Fix Pack 8.0.0.13 or later (targeted availability 24 October 2016).

For V7.0.0.0 through 7.0.0.41:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI58918

–OR–
· Apply Fix Pack 7.0.0.43 or later (targeted availability 2Q2017).

Workarounds and Mitigations

none



---------------------
http://techblog.gis-ag.info/2016/09/13/security-bulletin-http-response-splitting-in-websphere-application-server-cve-2016-0359/
Sep 13, 2016
8 hits



Recent Blog Posts
6
SNOUG 2017 Presentation – SikaConnect goes External
Thu, Mar 23rd 2017 1:06p   GIS Techblog
SNOUG 2017 Presentation – SikaConnect goes External Hi all, yesterday I was at SNouG in Zurich. I had a great time there – good speakers and a overall perfectly organized event (would we expect sth. else from Switzerland? ) Raymond Weber from SIKA Informationssysteme AG and I did a session about the SIKA Extranet Feature:
7
Whiteboard in IBM Sametime Meeting 9.0.1 removed
Fri, Mar 17th 2017 10:43a   GIS Techblog
Whiteboard in IBM Sametime Meeting 9.0.1 removed IBM implemented in Sametime Meeting 9.0.1 a whiteboard function as technical preview. Ben described in his articel how to enable this feature: https://collaborationben.com/2016/05/20/whiteboard-in-sametime-9-0-1/ With the current cumulative Fix 901-ST-General-FP-SMOL-AK4G43  for the Meeting Server IBM has removed this function. The response on my PMR was: “I can confirm The Meetings Whiteboard feature release is being put on hold indefinitely.
9
Wikis content not accessible…
Thu, Jan 26th 2017 10:54a   GIS Techblog
Wikis content not accessible… Hi, it`s been quite a long time; many projects at the moment so that blogging needs to wait Last week we had a very interesting problem at one customer’s environment. When accessing a Wiki, the page was displayed blank – no content was available. Browsing to older versions of this wikis worked. The error in the log: Parsing error… Wikis content (the body) gets store in the filesystem as xml files. If you access a Wiki there is a XML parser
8
Automatic WebSphere plugin modification II – PowerShell for Windows
Thu, Dec 1st 2016 6:54p   GIS Techblog
Automatic WebSphere plugin modification II – PowerShell for Windows Hi, some months ago I published a shell script to automatically modify the Primary / BackupServer definition in a WebSphere plugin-cfg.xml file. As we have several Windows customers we decided to transfer this script to PowerShell so that it is also useable for a Windows Cluster installation. My colleague Jan Bruns did a great job implementing this script. It basically works the same way as the Linux script: modifywasplug
7
IBM Connections Docs – file preview not possible for some CCM pdf files
Thu, Nov 17th 2016 2:15p   GIS Techblog
IBM Connections Docs – file preview not possible for some CCM pdf files Hi all, last week we had trouble in a customer environment using the file preview functionality for some pdf files (only those that were uploaded using CCM). Instead of a preview the message was displayed: At the same time we saw the following warning in the log: The mime-type was set to “image/pcl” instead of “application/pdf”… this mime-type is not supported by IBM Docs File viewer. We had to dig deep into th
11
IBM Connections 5.5 CR2 released
Thu, Nov 10th 2016 8:13a   GIS Techblog
IBM Connections 5.5 CR2 released Hi all, IBM released CR2 for IBM Connections 5.5: The Fix list Download the CR Database updates are mandatory (Activities, Files, Homepage, Mobile, Wikis) Filenet updates are mandatory Updates for Community Surveys (Fixes the TLS 1.2 issues) A prerequisite for CR2 is at least WAS 8.5.5 FP9 (let`s see when FP10 will be officially supported) A general step-by-step guide installing CR2 is provided by IBM. A new CR2 version of the Cognos wizard can be downloaded (y
10
IBM Connections – How to switch to a custom global unique ID for users
Mon, Nov 7th 2016 8:59a   GIS Techblog
IBM Connections – How to switch to a custom global unique ID for users Hi, many of our todays support cases is related to non-working profiles in IBM Connections. If users change their name, switch from one to another location or simply get a new account their profile in IBM Connections might get inactivated because the hash key between LDAP and database has changed. There are three possible hash keys: UID: Often a bad choice, as this might change eMail: Also a bad choice GUID: Unique I
5
IBM Connections – add additional login attribute
Wed, Oct 12th 2016 4:17a   GIS Techblog
IBM Connections – add additional login attribute Hi, last week I got the question if it is possible to use another login attribute for IBM Connections than uid, cn or email. Yes, this is possible and can be done very easy. It just needs some small adjustments (I assume that you already extended your LDAP schema and that the custom attribute is available in LDAP!!): 1. Open a wsadmin session ./wsadmin -lang jacl 2. Make a custom login attribute from LDAP known to the PersonAccount entity:
6
IBM Connections – Set read-only access to CCM libraries
Thu, Oct 6th 2016 5:28a   GIS Techblog
IBM Connections – Set read-only access to CCM libraries Hi, we are in the middle of several migrations to IBM Connections 5.5 and most of our customers come up with the question: What do I need CCM for if I can use nested folders in Files now? Many customers decide to manually migration CCM libraries to Files… This time a customer asked us if it is possible to set access to libraries to read-only so that no new files or folders are added to CCM. This is possible using the following
8
Security Bulletin: HTTP Response Splitting in WebSphere Application Server (CVE-2016-0359)
Tue, Sep 13th 2016 4:30a   GIS Techblog
Classification Score of 6.1 is moderat! Affects IBM WebSphere Application Server (IBM Portal and Connections)! If you need assistance please contact us (support@gis-ag.com) for further procedure. Link to IBM site Content: Summary Vulnerability Details Affected Products and Versions Remediation/Fixes Summary There is a potential HTTP response splitting vulnerability in IBM WebSphere Application Server. Vulnerability Details CVEID: CVE-2016-0359 DESCRIPTION: IBM WebSphere Application




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition