Security Bulletin: IBM UrbanCode Deploy (UCD) is vulnerable to HTTP response splitting due to Netty (CVE-2022-41915)

Summary

Netty is used by IBM UrbanCode Deploy (UCD) for network communication. An attacker may be able to inject HTTP/1.1 response header and cause the server to return a split resonse. (CVE-2022-41915)

Vulnerability Details

CVEID:CVE-2022-41915
**DESCRIPTION:**Netty is vulnerable to HTTP response splitting attacks, caused by a flaw when calling DefaultHttpHeaders.set with an iterator of values. A remote attacker could exploit this vulnerability to inject arbitrary HTTP/1.1 response header in some form and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242595 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly suggests the following:

Upgrade to any of 6.2.7.20,7.0.5.15, 7.1.2.11, 7.2.3.4, or 7.3.1.0 or later

Workarounds and Mitigations

None