IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty HTTP Request Smuggling Vulnerability

A vulnerability allowing HTTP request smuggling has been identified in the IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty, specifically in versions 8.5 and 9.0. This vulnerability arises from inconsistent interpretation of HTTP requests, which can be exploited through specially crafted requests.

Impact

Exploitation of this vulnerability leads to HTTP request smuggling, allowing an attacker to manipulate the way requests are processed by the server, potentially causing desynchronization between servers or interfering with the application's logic.

Remediation

Users are advised to apply the currently available Web Server Plug-ins interim fix or fix pack that contains the fix for APAR PH71342. For Web Server Plug-ins for IBM WebSphere Application Server V9.0.0.0 through 9.0.5.27, upgrade to the required minimal fix pack level and then apply the interim fix for PH71342, or upgrade to Web Server Plug-ins Fix Pack 9.0.5.28 or later. For V8.5.0.0 through 8.5.5.29, follow the same interim fix procedure or upgrade to Web Server Plug-ins Fix Pack 8.5.5.30 or later.