Interstage Application Server: Vulnerability may allow access from a non-permitted IP address (CVE-2008-3271). October 15th, 2008


Notes on using this web page

1. Description

When the access control based on IP address is set, the request from a non-permitted IP address may be accepted.

2. Impact

Though a specific impact depends on a system function, there is a possibility of information disclosure because the request from an unauthorized client may be acceptted.

For the severity of this vulnerability, see JVN information in "4. Related information".

3. Affected systems and corresponding action

3-1. Affected systems:

GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, AT compatible machine, PRIMEQUEST

3-2. Affected products and required patch

Interstage Application Server
ProductsTarget OSPackage namePatch ID.
Interstage Application Server Enterprise Edition 6.0Solaris 8, 9FJSVjs4*
Interstage Application Server Enterprise Edition 7.0Solaris 8, 9FJSVjs4*
Interstage Application Server Enterprise Edition 7.0.1Solaris 8, 9, 10FJSVjs4*
Interstage Application Server Enterprise Edition V8.0.0Solaris 9, 10FJSVjs4*
Interstage Application Server Enterprise Edition V8.0.2Solaris 9, 10FJSVjs4*
Interstage Application Server Standard Edition 7.0Solaris 8, 9FJSVjs4*
Interstage Application Server Standard-J Edition V8.0.0Solaris 9, 10FJSVjs4*
Interstage Application Server Standard-J Edition V8.0.2Solaris 9, 10FJSVjs4*
Interstage Application Server Plus 7.0Solaris 8, 9FJSVjs4*
Interstage Application Server Plus 7.0.1Solaris 8, 9, 10FJSVjs4*
Interstage Application Server Enterprise Edition V6.0 for WindowsWindows Server 2003/ Windows 2000 Server/ Windows NT Server 4.0F3FMjs4*
Interstage Application Server Enterprise Edition V7.0 for WindowsWindows Server 2003/ Windows 2000 ServerF3FMjs4*
Interstage Application Server Enterprise Edition V7.0.1 for WindowsWindows Server 2003/ Windows 2000 ServerF3FMjs4*
Interstage Application Server Enterprise Edition V8.0.0 for WindowsWindows Server 2003/ Windows 2000 ServerF3FMjs4*
Interstage Application Server Enterprise Edition V8.0.1 for WindowsWindows Server 2003/ Windows 2000 ServerF3FMjs4*
Interstage Application Server Enterprise Edition V8.0.2 for WindowsWindows Server 2003/ Windows 2000 ServerF3FMjs4*
Interstage Application Server Standard Edition V7.0 for WindowsWindows Server 2003/ Windows 2000 ServerF3FMjs4*
Interstage Application Server Standard-J Edition V8.0.0 for WindowsWindows Server 2003/ Windows 2000 ServerF3FMjs4*
Interstage Application Server Standard-J Edition V8.0.1 for WindowsWindows Server 2003/ Windows 2000 ServerF3FMjs4*
Interstage Application Server Standard-J Edition V8.0.2 for WindowsWindows Server 2003/ Windows 2000 ServerF3FMjs4*
Interstage Application Server Plus V6.0 for WindowsWindows Server 2003/ Windows 2000 Server/ Windows NT Server 4.0F3FMjs4*
Interstage Application Server Plus V7.0 for WindowsWindows Server 2003/ Windows 2000 ServerF3FMjs4*
Interstage Application Server Plus V7.0.1 for WindowsWindows Server 2003/ Windows 2000 ServerF3FMjs4*
Interstage Application Server Plus Developer V6.0 for WindowsWindows Server 2003/ Windows 2000 Server/ Windows NT Server 4.0/ Windows XPF3FMjs4*
Interstage Application Server Plus Developer V7.0 for WindowsWindows Server 2003/ Windows 2000 Server/ Windows XPF3FMjs4*
Interstage Application Server Enterprise Edition V6.0 for LinuxRHEL-AS3(x86)/ ES3(x86)FJSVjs4*
Interstage Application Server Enterprise Edition V7.0 for LinuxRHEL-AS3(x86)/ ES3(x86)FJSVjs4*
Interstage Application Server Enterprise Edition V8.0.0 for LinuxRHEL-AS4(x86)/ AS4(EM64T)FJSVjs4*
Interstage Application Server Enterprise Edition V8.0.2 for LinuxRHEL-AS4(x86)/ AS4(EM64T)FJSVjs4*
Interstage Application Server Standard Edition V7.0 for LinuxRHEL-AS3(x86)/ ES3(x86)FJSVjs4*
Interstage Application Server Standard-J Edition V8.0.0 for LinuxRHEL-AS4(x86)/ AS4(EM64T)FJSVjs4*
Interstage Application Server Standard-J Edition V8.0.2 for LinuxRHEL-AS4(x86)/ AS4(EM64T)FJSVjs4*
Interstage Application Server Plus V7.0 for LinuxRHEL-AS3(x86)/ ES3(x86)FJSVjs4*
Interstage Application Server Enterprise Edition V7.0 for LinuxRHEL-AS4(IPF)FJSVjs4*
Interstage Application Server Enterprise Edition V8.0.0 for LinuxRHEL-AS4(IPF)FJSVjs4*
Interstage Application Server Enterprise Edition V8.0.1 for LinuxRHEL-AS4(IPF)FJSVjs4*
Interstage Application Server Enterprise Edition V8.0.2 for LinuxRHEL-AS4(IPF)FJSVjs4*
Interstage Application Server Enterprise Edition V8.0.3 for LinuxRHEL-AS4(IPF)FJSVjs4*
Interstage Apworks/Studio
ProductsTarget OSPackage namePatch ID.
Interstage Apworks Modelers-J Edition V6.0 for WindowsWindows Server 2003/ Windows 2000 Server/ Windows NT Server 4.0/ Windows XPF3FMjs4*
Interstage Apworks Modelers-J Edition V6.0A for WindowsWindows Server 2003/ Windows 2000 Server/ Windows NT Server 4.0/ Windows XPF3FMjs4*
Interstage Apworks Modelers-J Edition V7.0 for WindowsWindows Server 2003/ Windows 2000 Server/ Windows XPF3FMjs4*
Interstage Studio Enterprise Edition 8.0.1 for WindowsWindows Server 2003/ Windows 2000 ServerF3FMjs4*
Interstage Studio Standard-J Edition 8.0.1 for WindowsWindows Server 2003/ Windows 2000 ServerF3FMjs4*
Interstage Business Application Server
ProductsTarget OSPackage namePatch ID.
Interstage Business Application Server Enterprise Edition 8.0.0 for LinuxRHEL-AS4(IPF)FJSVjs4*
Interstage Job Workload Server
ProductsTarget OSPackage namePatch ID.
Interstage Job Workload Server 8.1.0 for LinuxRHEL-AS4(IPF)FJSVjs4*


* For the Patches without ID nor link, please contact a Fujitsu system engineer or your partner(s).


Note: Determining the affected product

  • [V6 series]
    • Solaris
      To see package information on the FJSVisas package, the following command can be run:
      pkginfo -l FJSVisas
    • Windows
      See the title in the Software Release Guide.
      [Start]
        -> [Programs]
          -> [Interstage]
            -> [Application Server | Apworks]
              -> [Software Release Guide]
    • Linux
      To see package information on the FJSVisas package, the following command can be run:
      rpm -q FJSVisas
  • [V7 series or later]
    Use the isprintvl command.
    isprintvl

3-3. Workaround

None.

4. Related information

This problem corresponds to vulnerability of Apache Tomcat. (JVN#30732239/ CVE-2008-3271)

5. Revision history

  • October 15th, 2008 : 2nd edition
    Product information on the V9 series is deleted from "3-2. Affected products and required patch".
  • October 10th, 2008 : Initial release

Top of Page