CVE-2022-34165: IBM WebSphere HTTP header injection vulnerability

CVE-2022-34165
Image: IBM

A security vulnerability patched recently by IBM in its WebSphere Application Server and IBM WebSphere Application Server Liberty products can be exploited by an attacker to conduct cache poisoning and cross-site scripting.

WebSphere Application Server is a software product that performs the role of a web application server. More specifically, it is a software framework and middleware that hosts Java-based web applications. It is the flagship product within IBM’s WebSphere software suite.

Image: IBM

The security hole that allows HTTP header injection is tracked as CVE-2022-34165, and this is “caused by improper validation.” According to IBM, IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to HTTP header injection. This could allow an attacker to conduct various attacks against the vulnerable system, including cache poisoning and cross-site scripting.

WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 are affected, and CVE-2022-34165 also impacts WebSphere Application Server Liberty (version 17.0.0.3 – 22.0.0.9).

The vendor has released patches for this flaw and there is no evidence of exploitation for malicious purposes.

For IBM WebSphere Application Server Liberty 17.0.0.3 – 22.0.0.9:

· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH46816
–OR–
· Apply Fix Pack 22.0.0.10 or later (targeted availability 3Q2022).

For IBM WebSphere Application Server traditional:

For V9.0.0.0 through 9.0.5.13:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH46816
–OR–
· Apply Fix Pack 9.0.5.14 or later (targeted availability 4Q2022).

For V8.5.0.0 through 8.5.5.22:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH46816
–OR–
· Apply Fix Pack 8.5.5.23 or later (targeted availability 1Q2023).

For V8.0.0.0 through 8.0.0.15:
· Upgrade to 8.0.0.15 and then apply Interim Fix PH46816

For V7.0.0.0 through 7.0.0.45:
· Upgrade to 7.0.0.45 and  then apply Interim Fix PH46816