Interstage Application Server: Vulnerability may allow access from a non-permitted IP address (CVE-2008-3271). October 15th, 2008
1. Description
When the access control based on IP address is set, the request from a non-permitted IP address may be accepted.
2. Impact
Though a specific impact depends on a system function, there is a possibility of information disclosure because the request from an unauthorized client may be acceptted.
For the severity of this vulnerability, see JVN information in "4. Related information".
3. Affected systems and corresponding action
3-1. Affected systems:
GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, AT compatible machine, PRIMEQUEST
3-2. Affected products and required patch
Products | Target OS | Package name | Patch ID. |
---|---|---|---|
Interstage Application Server Enterprise Edition 6.0 | Solaris 8, 9 | FJSVjs4 | * |
Interstage Application Server Enterprise Edition 7.0 | Solaris 8, 9 | FJSVjs4 | * |
Interstage Application Server Enterprise Edition 7.0.1 | Solaris 8, 9, 10 | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V8.0.0 | Solaris 9, 10 | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V8.0.2 | Solaris 9, 10 | FJSVjs4 | * |
Interstage Application Server Standard Edition 7.0 | Solaris 8, 9 | FJSVjs4 | * |
Interstage Application Server Standard-J Edition V8.0.0 | Solaris 9, 10 | FJSVjs4 | * |
Interstage Application Server Standard-J Edition V8.0.2 | Solaris 9, 10 | FJSVjs4 | * |
Interstage Application Server Plus 7.0 | Solaris 8, 9 | FJSVjs4 | * |
Interstage Application Server Plus 7.0.1 | Solaris 8, 9, 10 | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V6.0 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V7.0 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V7.0.1 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V8.0.0 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V8.0.1 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V8.0.2 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Standard Edition V7.0 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Standard-J Edition V8.0.0 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Standard-J Edition V8.0.1 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Standard-J Edition V8.0.2 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Plus V6.0 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs4 | * |
Interstage Application Server Plus V7.0 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Plus V7.0.1 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Plus Developer V6.0 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows NT Server 4.0/ Windows XP | F3FMjs4 | * |
Interstage Application Server Plus Developer V7.0 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows XP | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V6.0 for Linux | RHEL-AS3(x86)/ ES3(x86) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V7.0 for Linux | RHEL-AS3(x86)/ ES3(x86) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V8.0.0 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V8.0.2 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | * |
Interstage Application Server Standard Edition V7.0 for Linux | RHEL-AS3(x86)/ ES3(x86) | FJSVjs4 | * |
Interstage Application Server Standard-J Edition V8.0.0 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | * |
Interstage Application Server Standard-J Edition V8.0.2 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | * |
Interstage Application Server Plus V7.0 for Linux | RHEL-AS3(x86)/ ES3(x86) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V7.0 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V8.0.0 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V8.0.1 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V8.0.2 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V8.0.3 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
Products | Target OS | Package name | Patch ID. |
---|---|---|---|
Interstage Apworks Modelers-J Edition V6.0 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows NT Server 4.0/ Windows XP | F3FMjs4 | * |
Interstage Apworks Modelers-J Edition V6.0A for Windows | Windows Server 2003/ Windows 2000 Server/ Windows NT Server 4.0/ Windows XP | F3FMjs4 | * |
Interstage Apworks Modelers-J Edition V7.0 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows XP | F3FMjs4 | * |
Interstage Studio Enterprise Edition 8.0.1 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Studio Standard-J Edition 8.0.1 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Products | Target OS | Package name | Patch ID. |
---|---|---|---|
Interstage Business Application Server Enterprise Edition 8.0.0 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
Products | Target OS | Package name | Patch ID. |
---|---|---|---|
Interstage Job Workload Server 8.1.0 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
* For the Patches without ID nor link, please contact a Fujitsu system engineer or your partner(s).
Note: Determining the affected product
- [V6 series]
- Solaris
To see package information on the FJSVisas package, the following command can be run:
pkginfo -l FJSVisas - Windows
See the title in the Software Release Guide.
[Start]
-> [Programs]
-> [Interstage]
-> [Application Server | Apworks]
-> [Software Release Guide] - Linux
To see package information on the FJSVisas package, the following command can be run:
rpm -q FJSVisas
- Solaris
- [V7 series or later]
Use the isprintvl command.
isprintvl
3-3. Workaround
None.
4. Related information
This problem corresponds to vulnerability of Apache Tomcat. (JVN#30732239/ CVE-2008-3271)
- JVN#30732239
Apache Tomcat allows access from a non-permitted IP address
http://jvn.jp/en/jp/JVN30732239/index.html - CVE-2008-3271
Tomcat information disclosure vulnerability
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3271
5. Revision history
- October 15th, 2008 : 2nd edition
Product information on the V9 series is deleted from "3-2. Affected products and required patch". - October 10th, 2008 : Initial release