IBM Cúram Social Program Management HTTP Response Splitting Vulnerability


Description   A vulnerability has been reported in IBM Cúram Social Program Management, which can be exploited by malicious people to conduct HTTP response splitting attacks.
Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which will be included in a response sent to the user.
Successful exploitation requires IBM Cúram Social Program Management not to be deployed on IBM WebSphere Application Server.
The vulnerability is reported in versions 6.0 SP2, 6.0.4, and 6.0.5.
     
Vulnerable Products   Vulnerable Software:
IBM Cúram Social Program Management 6.x
     
Solution   Apply fix.6.0 SP2:Update to version 6.0 SP2 EP26.6.0.4:Update to version 6.0.4.5 iFix007.6.0.5:Update to version 6.0.5.5 iFix 003.
     
CVE   CVE-2014-4803
     
References   http://www.ibm.com/support/docview.wss?uid=swg21695925
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
HTTP Response Splitting : suspicious Content-Length in URL
3.2.0
HTTP Response Splitting : suspicious HTTP/1.x in URL
3.2.0
HTTP Response Splitting : suspicious Set-Cookie in URL
3.2.0
HTTP Response Splitting : suspicious Content-Type in URL
3.5.0
     


 
 
 
 
 Risk level 
Low 

 Vulnerability First Public Report Date 
2015-02-13 

 Target Type 
Server 

 Possible exploit 
Remote