Cross-site scripting (XSS) vulnerabilities in Interstage Application Server(CVE-2007-1358). March 3rd, 2009
1. Background and Detected problem(s)
Cross-site scripting (XSS) vulnerabilities have been discovered in the Servlet Service based on Tomcat4.1 or Tomcat5.5.
This information is derived from the vulnerability on the following web site:
CVE-2007-1358: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1358
2. Method to temporarily avoid the problem
Check if all following conditions are satisfied.
If they are not, your system is not affected by these vulnerabilities.
- The web applications invoke one of the following Servlet APIs:
- javax.servlet.ServletRequest#getLocale()
- javax.servlet.ServletResponse#getLocales()
- The web applications get the value by invoking one of the following method of java.util.Locale class from i:
- getCountry()
- getLanguage()
- getVariant()
- The response body includes the value from ii as-is.
If all conditions are satisfied, take the following action for the values from a), b) and c) of ii:- Check if the value is compliant with RFC. If not, do not include it in the response body.
- If you need to include the value in the response body, be sure to sanitize the value.
3. Corresponding system and Patch information
Corresponding system :GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, FMV series, AT compatible machine, PRIMEQUEST
Products | Target OS | Package name | Patch ID. |
---|---|---|---|
Interstage Application Server Enterprise Edition 6.0 | Solaris 8, 9 | FJSVjs4 | * |
Interstage Application Server Enterprise Edition 7.0 | Solaris 8, 9 | FJSVjs4 | T020LS-07* |
Interstage Application Server Standard Edition 7.0 | Solaris 8, 9 | FJSVjs4 | T020LS-07* |
Interstage Application Server Plus 7.0 | Solaris 8, 9 | FJSVjs4 | T020LS-07* |
Interstage Application Server Enterprise Edition 7.0.1 | Solaris 8, 9, 10 | FJSVjs4 | T020LS-07* |
Interstage Application Server Plus 7.0.1 | Solaris 8, 9, 10 | FJSVjs4 | T020LS-07* |
Interstage Application Server Enterprise Edition V8.0.0 | Solaris 9, 10 | FJSVjs4 | * |
Interstage Application Server Standard-J Edition V8.0.0 | Solaris 9, 10 | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V8.0.2 | Solaris 9, 10 | FJSVjs4 | * |
Interstage Application Server Standard-J Edition V8.0.2 | Solaris 9, 10 | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V8.0.3 | Solaris 9, 10 | FJSVjs4 | * |
Interstage Application Server Standard-J Edition V8.0.3 | Solaris 9, 10 | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V6.0 for Windows | Windows Server 2003/ Windows 2000/ Windows NT Server 4.0 | F3FMjs4 | TP09743* |
Interstage Application Server Plus V6.0 for Windows | Windows Server 2003/ Windows 2000/ Windows NT Server 4.0 | F3FMjs4 | TP09743* |
Interstage Application Server Plus Developer V6.0 for Windows | Windows Server 2003/ Windows 2000/ Windows NT Server 4.0/ Windows XP | F3FMjs4 | TP09743* |
Interstage Application Server Enterprise Edition V7.0 for Windows | Windows Server 2003/ Windows 2000 | F3FMjs4 | TP09768* |
Interstage Application Server Standard Edition V7.0 for Windows | Windows Server 2003/ Windows 2000 | F3FMjs4 | TP09768* |
Interstage Application Server Plus V7.0 for Windows | Windows Server 2003/ Windows 2000 | F3FMjs4 | TP09768* |
Interstage Application Server Plus Developer V7.0 for Windows | Windows Server 2003/ Windows 2000/ Windows XP | F3FMjs4 | TP09768* |
Interstage Application Server Enterprise Edition V7.0.1 for Windows | Windows Server 2003/ Windows 2000 | F3FMjs4 | TP09768* |
Interstage Application Server Plus V7.0.1 for Windows | Windows Server 2003/ Windows 2000 | F3FMjs4 | TP09768* |
Interstage Application Server Enterprise Edition V8.0.0 for Windows | Windows Server 2003/ Windows 2000 | F3FMjs4 | * |
Interstage Application Server Standard-J Edition V8.0.0 for Windows | Windows Server 2003/ Windows 2000 | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V8.0.1 for Windows | Windows Server 2003/ Windows 2000 | F3FMjs4 | * |
Interstage Application Server Standard-J Edition V8.0.1 for Windows | Windows Server 2003/ Windows 2000 | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V8.0.2 for Windows | Windows Server 2003/ Windows 2000 | F3FMjs4 | * |
Interstage Application Server Standard-J Edition V8.0.2 for Windows | Windows Server 2003/ Windows 2000 | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V8.0.3 for Windows | Windows Server 2003/ Windows 2000 | F3FMjs4 | * |
Interstage Application Server Standard-J Edition V8.0.3 for Windows | Windows Server 2003/ Windows 2000 | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V9.0.0 for Windows | Windows Server 2003/ Windows 2000 | F3FMjs4 | * |
Interstage Application Server Standard-J Edition V9.0.0 for Windows | Windows Server 2003/ Windows 2000 | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V8.0.0 for Windows | Windows Server 2003(IPF) | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V8.0.3 for Windows | Windows Server 2003(IPF) | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V6.0 for Linux | RHEL-AS3(x86)/ ES3(x86) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V7.0 for Linux | RHEL-AS3(x86)/ ES3(x86) | FJSVjs4 | T00836-06* |
Interstage Application Server Standard Edition V7.0 for Linux | RHEL-AS3(x86)/ ES3(x86) | FJSVjs4 | T00836-06* |
Interstage Application Server Plus V7.0 for Linux | RHEL-AS3(x86)/ ES3(x86) | FJSVjs4 | T00836-06* |
Interstage Application Server Enterprise Edition V8.0.0 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | * |
Interstage Application Server Standard-J Edition V8.0.0 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V8.0.2 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | * |
Interstage Application Server Standard-J Edition V8.0.2 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V8.0.3 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | * |
Interstage Application Server Standard-J Edition V8.0.3 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V7.0 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V8.0.0 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V8.0.1 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V8.0.2 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V8.0.3 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
Products | Target OS | Package name | Patch ID. |
---|---|---|---|
Interstage Apworks Modelers-J Edition V6.0 for Windows | Windows Server 2003/ Windows 2000/ Windows NT Server 4.0/ Windows XP | F3FMjs4 | TP09743* |
Interstage Apworks Modelers-J Edition V6.0A for Windows | Windows Server 2003/ Windows 2000/ Windows NT Server 4.0/ Windows XP | F3FMjs4 | TP09743* |
Interstage Apworks Modelers-J Edition V7.0 for Windows | Windows Server 2003/ Windows 2000/ Windows XP | F3FMjs4 | TP09768* |
Interstage Studio Enterprise Edition 8.0.1 for Windows | Windows Server 2003/ Windows 2000/ Windows XP | F3FMjs4 | * |
Interstage Studio Standard-J Edition 8.0.1 for Windows | Windows Server 2003/ Windows 2000/ Windows XP | F3FMjs4 | * |
Interstage Studio Enterprise Edition 9.0.0 for Windows | Windows Server 2003/ Windows 2000/ Windows XP/ Windows Vista | F3FMjs5 | * |
Interstage Studio Standard-J Edition 9.0.0 for Windows | Windows Server 2003/ Windows 2000/ Windows XP/ Windows Vista | F3FMjs5 | * |
Products | Target OS | Package name | Patch ID. |
---|---|---|---|
Interstage Business Application Server Enterprise Edition 8.0.0 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
Products | Target OS | Package name | Patch ID. |
---|---|---|---|
Interstage Job Workload Server 8.1.0 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
* For the Patches without ID nor link, please contact a Fujitsu system engineer or your partner(s).
4. Revision history
- March 3rd 2009: 2nd release
- Description about Servlet Service based on Tomcat5.5 has been added to the "1. Background and Detected problem(s)" .
- Package names for the products listed below have been corrected from F3FMjs4 to F3FMjs5 in "3. Corresponding system and Patch information".
"Interstage Studio Enterprise Edition 9.0.0 for Windows"
"Interstage Studio Standard-J Edition 9.0.0 for Windows" - Some "Patch ID."s have been added in "3. Corresponding system and Patch information".
- September 6th, 2007 : Initial release