Cross-site scripting (XSS) vulnerabilities in Interstage Application Server(CVE-2007-1358). March 3rd, 2009


Notes on using this web page

1. Background and Detected problem(s)

Cross-site scripting (XSS) vulnerabilities have been discovered in the Servlet Service based on Tomcat4.1 or Tomcat5.5.

This information is derived from the vulnerability on the following web site:
CVE-2007-1358: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358

2. Method to temporarily avoid the problem

Check if all following conditions are satisfied.
If they are not, your system is not affected by these vulnerabilities.

  1. The web applications invoke one of the following Servlet APIs:
    1. javax.servlet.ServletRequest#getLocale()
    2. javax.servlet.ServletResponse#getLocales()
  2. The web applications get the value by invoking one of the following method of java.util.Locale class from i:
    1. getCountry()
    2. getLanguage()
    3. getVariant()
  3. The response body includes the value from ii as-is.
    If all conditions are satisfied, take the following action for the values from a), b) and c) of ii:
    • Check if the value is compliant with RFC. If not, do not include it in the response body.
    • If you need to include the value in the response body, be sure to sanitize the value.

3. Corresponding system and Patch information

Corresponding system :GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, FMV series, AT compatible machine, PRIMEQUEST

Interstage Application Server
ProductsTarget OSPackage namePatch ID.
Interstage Application Server Enterprise Edition 6.0Solaris 8, 9FJSVjs4*
Interstage Application Server Enterprise Edition 7.0Solaris 8, 9FJSVjs4T020LS-07*
Interstage Application Server Standard Edition 7.0Solaris 8, 9FJSVjs4T020LS-07*
Interstage Application Server Plus 7.0Solaris 8, 9FJSVjs4T020LS-07*
Interstage Application Server Enterprise Edition 7.0.1Solaris 8, 9, 10FJSVjs4T020LS-07*
Interstage Application Server Plus 7.0.1Solaris 8, 9, 10FJSVjs4T020LS-07*
Interstage Application Server Enterprise Edition V8.0.0Solaris 9, 10FJSVjs4*
Interstage Application Server Standard-J Edition V8.0.0Solaris 9, 10FJSVjs4*
Interstage Application Server Enterprise Edition V8.0.2Solaris 9, 10FJSVjs4*
Interstage Application Server Standard-J Edition V8.0.2Solaris 9, 10FJSVjs4*
Interstage Application Server Enterprise Edition V8.0.3Solaris 9, 10FJSVjs4*
Interstage Application Server Standard-J Edition V8.0.3Solaris 9, 10FJSVjs4*
Interstage Application Server Enterprise Edition V6.0 for WindowsWindows Server 2003/ Windows 2000/ Windows NT Server 4.0F3FMjs4TP09743*
Interstage Application Server Plus V6.0 for WindowsWindows Server 2003/ Windows 2000/ Windows NT Server 4.0F3FMjs4TP09743*
Interstage Application Server Plus Developer V6.0 for WindowsWindows Server 2003/ Windows 2000/ Windows NT Server 4.0/ Windows XPF3FMjs4TP09743*
Interstage Application Server Enterprise Edition V7.0 for WindowsWindows Server 2003/ Windows 2000F3FMjs4TP09768*
Interstage Application Server Standard Edition V7.0 for WindowsWindows Server 2003/ Windows 2000F3FMjs4TP09768*
Interstage Application Server Plus V7.0 for WindowsWindows Server 2003/ Windows 2000F3FMjs4TP09768*
Interstage Application Server Plus Developer V7.0 for WindowsWindows Server 2003/ Windows 2000/ Windows XPF3FMjs4TP09768*
Interstage Application Server Enterprise Edition V7.0.1 for WindowsWindows Server 2003/ Windows 2000F3FMjs4TP09768*
Interstage Application Server Plus V7.0.1 for WindowsWindows Server 2003/ Windows 2000F3FMjs4TP09768*
Interstage Application Server Enterprise Edition V8.0.0 for WindowsWindows Server 2003/ Windows 2000F3FMjs4*
Interstage Application Server Standard-J Edition V8.0.0 for WindowsWindows Server 2003/ Windows 2000F3FMjs4*
Interstage Application Server Enterprise Edition V8.0.1 for WindowsWindows Server 2003/ Windows 2000F3FMjs4*
Interstage Application Server Standard-J Edition V8.0.1 for WindowsWindows Server 2003/ Windows 2000F3FMjs4*
Interstage Application Server Enterprise Edition V8.0.2 for WindowsWindows Server 2003/ Windows 2000F3FMjs4*
Interstage Application Server Standard-J Edition V8.0.2 for WindowsWindows Server 2003/ Windows 2000F3FMjs4*
Interstage Application Server Enterprise Edition V8.0.3 for WindowsWindows Server 2003/ Windows 2000F3FMjs4*
Interstage Application Server Standard-J Edition V8.0.3 for WindowsWindows Server 2003/ Windows 2000F3FMjs4*
Interstage Application Server Enterprise Edition V9.0.0 for WindowsWindows Server 2003/ Windows 2000F3FMjs4*
Interstage Application Server Standard-J Edition V9.0.0 for WindowsWindows Server 2003/ Windows 2000F3FMjs4*
Interstage Application Server Enterprise Edition V8.0.0 for WindowsWindows Server 2003(IPF)F3FMjs4*
Interstage Application Server Enterprise Edition V8.0.3 for WindowsWindows Server 2003(IPF)F3FMjs4*
Interstage Application Server Enterprise Edition V6.0 for LinuxRHEL-AS3(x86)/ ES3(x86)FJSVjs4*
Interstage Application Server Enterprise Edition V7.0 for LinuxRHEL-AS3(x86)/ ES3(x86)FJSVjs4T00836-06*
Interstage Application Server Standard Edition V7.0 for LinuxRHEL-AS3(x86)/ ES3(x86)FJSVjs4T00836-06*
Interstage Application Server Plus V7.0 for LinuxRHEL-AS3(x86)/ ES3(x86)FJSVjs4T00836-06*
Interstage Application Server Enterprise Edition V8.0.0 for LinuxRHEL-AS4(x86)/ AS4(EM64T)FJSVjs4*
Interstage Application Server Standard-J Edition V8.0.0 for LinuxRHEL-AS4(x86)/ AS4(EM64T)FJSVjs4*
Interstage Application Server Enterprise Edition V8.0.2 for LinuxRHEL-AS4(x86)/ AS4(EM64T)FJSVjs4*
Interstage Application Server Standard-J Edition V8.0.2 for LinuxRHEL-AS4(x86)/ AS4(EM64T)FJSVjs4*
Interstage Application Server Enterprise Edition V8.0.3 for LinuxRHEL-AS4(x86)/ AS4(EM64T)FJSVjs4*
Interstage Application Server Standard-J Edition V8.0.3 for LinuxRHEL-AS4(x86)/ AS4(EM64T)FJSVjs4*
Interstage Application Server Enterprise Edition V7.0 for LinuxRHEL-AS4(IPF)FJSVjs4*
Interstage Application Server Enterprise Edition V8.0.0 for LinuxRHEL-AS4(IPF)FJSVjs4*
Interstage Application Server Enterprise Edition V8.0.1 for LinuxRHEL-AS4(IPF)FJSVjs4*
Interstage Application Server Enterprise Edition V8.0.2 for LinuxRHEL-AS4(IPF)FJSVjs4*
Interstage Application Server Enterprise Edition V8.0.3 for LinuxRHEL-AS4(IPF)FJSVjs4*
Interstage Apworks/Studio
ProductsTarget OSPackage namePatch ID.
Interstage Apworks Modelers-J Edition V6.0 for WindowsWindows Server 2003/ Windows 2000/ Windows NT Server 4.0/ Windows XPF3FMjs4TP09743*
Interstage Apworks Modelers-J Edition V6.0A for WindowsWindows Server 2003/ Windows 2000/ Windows NT Server 4.0/ Windows XPF3FMjs4TP09743*
Interstage Apworks Modelers-J Edition V7.0 for WindowsWindows Server 2003/ Windows 2000/ Windows XPF3FMjs4TP09768*
Interstage Studio Enterprise Edition 8.0.1 for WindowsWindows Server 2003/ Windows 2000/ Windows XPF3FMjs4*
Interstage Studio Standard-J Edition 8.0.1 for WindowsWindows Server 2003/ Windows 2000/ Windows XPF3FMjs4*
Interstage Studio Enterprise Edition 9.0.0 for WindowsWindows Server 2003/ Windows 2000/ Windows XP/ Windows VistaF3FMjs5*
Interstage Studio Standard-J Edition 9.0.0 for WindowsWindows Server 2003/ Windows 2000/ Windows XP/ Windows VistaF3FMjs5*
Interstage Business Application Server
ProductsTarget OSPackage namePatch ID.
Interstage Business Application Server Enterprise Edition 8.0.0 for LinuxRHEL-AS4(IPF)FJSVjs4*
Interstage Job Workload Server
ProductsTarget OSPackage namePatch ID.
Interstage Job Workload Server 8.1.0 for LinuxRHEL-AS4(IPF)FJSVjs4*


* For the Patches without ID nor link, please contact a Fujitsu system engineer or your partner(s).

4. Revision history

  • March 3rd 2009: 2nd release
    • Description about Servlet Service based on Tomcat5.5 has been added to the "1. Background and Detected problem(s)" .
    • Package names for the products listed below have been corrected from F3FMjs4 to F3FMjs5 in "3. Corresponding system and Patch information".
      "Interstage Studio Enterprise Edition 9.0.0 for Windows"
      "Interstage Studio Standard-J Edition 9.0.0 for Windows"
    • Some "Patch ID."s have been added in "3. Corresponding system and Patch information".
  • September 6th, 2007 : Initial release

Top of Page