Skip to main content
  1. Home >
  2. Support >
  3. Products >
  4. Software >
  5. Security >
  6. Fujitsu Patch & TA Information>
  7. This page provides Security Information.

Cross-site scripting (XSS) vulnerabilities in Interstage Application Server(CVE-2007-1358). March 3rd, 2009


Notes on using this web page

1. Background and Detected problem(s)

Cross-site scripting (XSS) vulnerabilities have been discovered in the Servlet Service based on Tomcat4.1 or Tomcat5.5.

This information is derived from the vulnerability on the following web site:
CVE-2007-1358: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358

2. Method to temporarily avoid the problem

Check if all following conditions are satisfied.
If they are not, your system is not affected by these vulnerabilities.

  1. The web applications invoke one of the following Servlet APIs:
    space
    1. javax.servlet.ServletRequest#getLocale()
    2. javax.servlet.ServletResponse#getLocales()
  2. The web applications get the value by invoking one of the following method of java.util.Locale class from i:
    space
    1. getCountry()
    2. getLanguage()
    3. getVariant()
  3. The response body includes the value from ii as-is.
    If all conditions are satisfied, take the following action for the values from a), b) and c) of ii:
    space
    • Check if the value is compliant with RFC. If not, do not include it in the response body.
    • If you need to include the value in the response body, be sure to sanitize the value.

3. Corresponding system and Patch information

Corresponding system :GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, FMV series, AT compatible machine, PRIMEQUEST

Interstage Application Server
Products Target OS Package name Patch ID.
Interstage Application Server Enterprise Edition 6.0 Solaris 8, 9 FJSVjs4 *
Interstage Application Server Enterprise Edition 7.0 Solaris 8, 9 FJSVjs4 T020LS-07*
Interstage Application Server Standard Edition 7.0 Solaris 8, 9 FJSVjs4 T020LS-07*
Interstage Application Server Plus 7.0 Solaris 8, 9 FJSVjs4 T020LS-07*
Interstage Application Server Enterprise Edition 7.0.1 Solaris 8, 9, 10 FJSVjs4 T020LS-07*
Interstage Application Server Plus 7.0.1 Solaris 8, 9, 10 FJSVjs4 T020LS-07*
Interstage Application Server Enterprise Edition V8.0.0 Solaris 9, 10 FJSVjs4 *
Interstage Application Server Standard-J Edition V8.0.0 Solaris 9, 10 FJSVjs4 *
Interstage Application Server Enterprise Edition V8.0.2 Solaris 9, 10 FJSVjs4 *
Interstage Application Server Standard-J Edition V8.0.2 Solaris 9, 10 FJSVjs4 *
Interstage Application Server Enterprise Edition V8.0.3 Solaris 9, 10 FJSVjs4 *
Interstage Application Server Standard-J Edition V8.0.3 Solaris 9, 10 FJSVjs4 *
Interstage Application Server Enterprise Edition V6.0 for Windows Windows Server 2003/ Windows 2000/ Windows NT Server 4.0 F3FMjs4 TP09743*
Interstage Application Server Plus V6.0 for Windows Windows Server 2003/ Windows 2000/ Windows NT Server 4.0 F3FMjs4 TP09743*
Interstage Application Server Plus Developer V6.0 for Windows Windows Server 2003/ Windows 2000/ Windows NT Server 4.0/ Windows XP F3FMjs4 TP09743*
Interstage Application Server Enterprise Edition V7.0 for Windows Windows Server 2003/ Windows 2000 F3FMjs4 TP09768*
Interstage Application Server Standard Edition V7.0 for Windows Windows Server 2003/ Windows 2000 F3FMjs4 TP09768*
Interstage Application Server Plus V7.0 for Windows Windows Server 2003/ Windows 2000 F3FMjs4 TP09768*
Interstage Application Server Plus Developer V7.0 for Windows Windows Server 2003/ Windows 2000/ Windows XP F3FMjs4 TP09768*
Interstage Application Server Enterprise Edition V7.0.1 for Windows Windows Server 2003/ Windows 2000 F3FMjs4 TP09768*
Interstage Application Server Plus V7.0.1 for Windows Windows Server 2003/ Windows 2000 F3FMjs4 TP09768*
Interstage Application Server Enterprise Edition V8.0.0 for Windows Windows Server 2003/ Windows 2000 F3FMjs4 *
Interstage Application Server Standard-J Edition V8.0.0 for Windows Windows Server 2003/ Windows 2000 F3FMjs4 *
Interstage Application Server Enterprise Edition V8.0.1 for Windows Windows Server 2003/ Windows 2000 F3FMjs4 *
Interstage Application Server Standard-J Edition V8.0.1 for Windows Windows Server 2003/ Windows 2000 F3FMjs4 *
Interstage Application Server Enterprise Edition V8.0.2 for Windows Windows Server 2003/ Windows 2000 F3FMjs4 *
Interstage Application Server Standard-J Edition V8.0.2 for Windows Windows Server 2003/ Windows 2000 F3FMjs4 *
Interstage Application Server Enterprise Edition V8.0.3 for Windows Windows Server 2003/ Windows 2000 F3FMjs4 *
Interstage Application Server Standard-J Edition V8.0.3 for Windows Windows Server 2003/ Windows 2000 F3FMjs4 *
Interstage Application Server Enterprise Edition V9.0.0 for Windows Windows Server 2003/ Windows 2000 F3FMjs4 *
Interstage Application Server Standard-J Edition V9.0.0 for Windows Windows Server 2003/ Windows 2000 F3FMjs4 *
Interstage Application Server Enterprise Edition V8.0.0 for Windows Windows Server 2003(IPF) F3FMjs4 *
Interstage Application Server Enterprise Edition V8.0.3 for Windows Windows Server 2003(IPF) F3FMjs4 *
Interstage Application Server Enterprise Edition V6.0 for Linux RHEL-AS3(x86)/ ES3(x86) FJSVjs4 *
Interstage Application Server Enterprise Edition V7.0 for Linux RHEL-AS3(x86)/ ES3(x86) FJSVjs4 T00836-06*
Interstage Application Server Standard Edition V7.0 for Linux RHEL-AS3(x86)/ ES3(x86) FJSVjs4 T00836-06*
Interstage Application Server Plus V7.0 for Linux RHEL-AS3(x86)/ ES3(x86) FJSVjs4 T00836-06*
Interstage Application Server Enterprise Edition V8.0.0 for Linux RHEL-AS4(x86)/ AS4(EM64T) FJSVjs4 *
Interstage Application Server Standard-J Edition V8.0.0 for Linux RHEL-AS4(x86)/ AS4(EM64T) FJSVjs4 *
Interstage Application Server Enterprise Edition V8.0.2 for Linux RHEL-AS4(x86)/ AS4(EM64T) FJSVjs4 *
Interstage Application Server Standard-J Edition V8.0.2 for Linux RHEL-AS4(x86)/ AS4(EM64T) FJSVjs4 *
Interstage Application Server Enterprise Edition V8.0.3 for Linux RHEL-AS4(x86)/ AS4(EM64T) FJSVjs4 *
Interstage Application Server Standard-J Edition V8.0.3 for Linux RHEL-AS4(x86)/ AS4(EM64T) FJSVjs4 *
Interstage Application Server Enterprise Edition V7.0 for Linux RHEL-AS4(IPF) FJSVjs4 *
Interstage Application Server Enterprise Edition V8.0.0 for Linux RHEL-AS4(IPF) FJSVjs4 *
Interstage Application Server Enterprise Edition V8.0.1 for Linux RHEL-AS4(IPF) FJSVjs4 *
Interstage Application Server Enterprise Edition V8.0.2 for Linux RHEL-AS4(IPF) FJSVjs4 *
Interstage Application Server Enterprise Edition V8.0.3 for Linux RHEL-AS4(IPF) FJSVjs4 *
Interstage Apworks/Studio
Products Target OS Package name Patch ID.
Interstage Apworks Modelers-J Edition V6.0 for Windows Windows Server 2003/ Windows 2000/ Windows NT Server 4.0/ Windows XP F3FMjs4 TP09743*
Interstage Apworks Modelers-J Edition V6.0A for Windows Windows Server 2003/ Windows 2000/ Windows NT Server 4.0/ Windows XP F3FMjs4 TP09743*
Interstage Apworks Modelers-J Edition V7.0 for Windows Windows Server 2003/ Windows 2000/ Windows XP F3FMjs4 TP09768*
Interstage Studio Enterprise Edition 8.0.1 for Windows Windows Server 2003/ Windows 2000/ Windows XP F3FMjs4 *
Interstage Studio Standard-J Edition 8.0.1 for Windows Windows Server 2003/ Windows 2000/ Windows XP F3FMjs4 *
Interstage Studio Enterprise Edition 9.0.0 for Windows Windows Server 2003/ Windows 2000/ Windows XP/ Windows Vista F3FMjs5 *
Interstage Studio Standard-J Edition 9.0.0 for Windows Windows Server 2003/ Windows 2000/ Windows XP/ Windows Vista F3FMjs5 *
Interstage Business Application Server
Products Target OS Package name Patch ID.
Interstage Business Application Server Enterprise Edition 8.0.0 for Linux RHEL-AS4(IPF) FJSVjs4 *
Interstage Job Workload Server
Products Target OS Package name Patch ID.
Interstage Job Workload Server 8.1.0 for Linux RHEL-AS4(IPF) FJSVjs4 *


* For the Patches without ID nor link, please contact a Fujitsu system engineer or your partner(s).

4. Revision history

  • March 3rd 2009: 2nd release
    space
    • Description about Servlet Service based on Tomcat5.5 has been added to the "1. Background and Detected problem(s)" .
    • Package names for the products listed below have been corrected from F3FMjs4 to F3FMjs5 in "3. Corresponding system and Patch information".
      "Interstage Studio Enterprise Edition 9.0.0 for Windows"
      "Interstage Studio Standard-J Edition 9.0.0 for Windows"
    • Some "Patch ID."s have been added in "3. Corresponding system and Patch information".
  • September 6th, 2007 : Initial release