CRLF injection vulnerability in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.43, 8.0 before 8.0.0.13, 8.5 Full before 8.5.5.10, and 8.5 Liberty before Liberty Fix Pack 16.0.0.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL.

The remote host appears to be running IBM WebSphere Application Server 8.0.0.x prior to 8.0.0.13.  Such versions are potentially affected by multiple issues :

 - A flaw exists that is triggered as CRLF (Carriage Return and Line Feed) character sequences are not properly sanitized before being included in HTTP responses. This allows a remote attacker to inject additional headers into responses to conduct HTTP response splitting attacks.
 - A flaw exists that is triggered during the handling of specially crafted SIP messages. This may allow a remote attacker to cause a denial of service.
 - An unspecified flaw exists that is triggered during the handling of responses. This may allow a remote attacker gain access to sensitive server identification information.
 - A flaw exists that is due to the program setting insecure unspecified flags on CSRF token cookies, which may allow an attacker to have an unspecified impact. No further details have been provided by the vendor. Based on past disclosures from IBM, this is likely the 'secure' and/or 'HttpOnly' flag.
 - An unspecified flaw exists that is triggered as input is not properly sanitized when deserializing Java objects. This may allow an authenticated remote attacker to potentially execute arbitrary code.

The remote host appears to be running IBM WebSphere Application Server 7.0.0.x prior to 7.0.0.43. Such versions are potentially affected by multiple issues :

 - A flaw exists that is triggered as CRLF (Carriage Return and Line Feed) character sequences are not properly sanitized before being included in HTTP responses. This allows a remote attacker to inject additional headers into responses to conduct HTTP response splitting attacks.
 - A flaw exists that is triggered during the handling of specially crafted SIP messages. This may allow a remote attacker to cause a denial of service.
 - An unspecified flaw exists that is triggered during the handling of responses. This may allow a remote attacker gain access to sensitive server identification information.
 - A flaw exists that is due to the program setting insecure unspecified flags on CSRF token cookies, which may allow an attacker to have an unspecified impact. No further details have been provided by the vendor. Based on past disclosures from IBM, this is likely the 'secure' and/or 'HttpOnly' flag.
 - An unspecified flaw exists that is triggered as input is not properly sanitized when deserializing Java objects. This may allow an authenticated remote attacker to potentially execute arbitrary code.

The remote host appears to be running IBM WebSphere Application Server 8.5 prior to 8.5.5.10.  Such versions are potentially affected by multiple issues :

 - A flaw exists that is triggered as CRLF (Carriage Return and Line Feed) character sequences are not properly sanitized before being included in HTTP responses.  This allows a remote attacker to inject additional headers into responses to conduct HTTP response splitting attacks.
 - A flaw exists that is triggered during the handling of specially crafted SIP messages.  This may allow a remote attacker to cause a denial of service.
 - A flaw exists that is due to the program improperly setting the CSRFtoken cookie.  This may allow an authenticated remote attacker to gain access to potentially sensitive information.
 - An overflow condition exists that is triggered as certain input is not properly validated.  This may allow an authenticated remote attacker to cause a buffer overflow, potentially allowing them to bypass security restrictions and disclose sensitive information.
 - A flaw exists that is due to the program setting insecure unspecified flags on CSRF token cookies, which may allow an attacker to have an unspecified impact.  No further details have been provided by the vendor.  Based on past disclosures from IBM, this is likely the 'secure' and/or 'HttpOnly' flag.

The IBM WebSphere Application Server running on the remote host is version 7.0 prior to 7.0.0.43, 8.0 prior to 8.0.0.13, 8.5 prior to 8.5.5.10, or 16.0 (Liberty) prior to 16.0.0.2. It is, therefore, affected by an HTTP response splitting vulnerability due to a failure to properly sanitize CRLF character sequences before user-supplied input is included in HTTP responses. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted URL link, to inject arbitrary HTTP headers.

ID	Name	Product	Family	Severity
700016	IBM WebSphere Application Server 8.0.0.x < 8.0.0.13 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	low
700015	IBM WebSphere Application Server 7.0.0.x < 7.0.0.43 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	low
9720	IBM WebSphere Application Server 8.5 < 8.5.5.10 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	medium
92724	IBM WebSphere Application Server 7.0 < 7.0.0.43 / 8.0 < 8.0.0.13 / 8.5 < 8.5.5.10 / Liberty 16.0 < 16.0.0.2 CRLF Sequences HTTP Response Splitting	Nessus	Web Servers	medium

Detections

Analytics

CVE-2016-0359

medium

Tenable Plugins

low

low

medium

medium