Interstage Application Server: Information Disclosure Vulnerabilities(CVE-2008-2370/CVE-2008-5515). October 27th, 2010

Notes on using this web page

1. Description

Information disclosure vulnerabilities are confirmed in the Servlet Service.

Fujitsu provides workaround shown in “3. Affected products and required patches.”.
Please apply them as soon as possible.

2. Impact

A remote third party can get contents and inside information included in a web application that has restricted access.

For a severity assessment of this vulnerability, see JVN and IPA information in "4. Related information" (Japanese only).

3. Affected systems and corresponding action

3-1. Affected systems:

GP7000F, PRIMEPOWER, SPARC Enterprise, PRIMERGY, GP5000, CELSIUS, FMV series, AT compatible machines, PRIMEQUEST

3-2. Affected products and required patch

* For the patches without ID nor link, please contact a Fujitsu system engineer or your partner(s).

Note: Determining the affected product

1. Determining the version and level of the product
   • [V6 series]
     • Solaris
       To see package information on the FJSVisas package, please execute the following command:
         pkginfo -l FJSVisas
     • Windows
       See the title in the Software Release Guide.
         [Start]
           -> [Programs]
             -> [Interstage]
               -> [Application Server | Apworks]
                 -> [Software Release Guide]
     • Linux
       To see package information on the FJSVisas package, please execute the following command:
         rpm -q FJSVisas
   • [V7 series or later]
     • Use the isprintvl command.
         isprintvl
2. Determining the affected web applications
   Whether a web application is affected by the vulnerabilities depends on the application setting.
   
   If the "Condition 1" is not satisfied, your system is not affected by the vulnerabilities.
   If only the "Condition 1" is satisfied or both "Condition 1" and "Condition 2" are satisfied, please contact our support representative for the workaround.
   • Condition 1: All of the following conditions are satisfied.
     
     1. A web application invokes one of the following Servlet APIs or JSP Actions:
        • The forward or include method of the object gotten by javax.servlet.ServletContext#getRequestDispatcher(path)
        • The forward or include method of the object gotten by javax.servlet.ServletRequest#getRequestDispatcher(path)
        • < jsp:forward page="path" > action of JSP
        • < jsp:include page="path" > action of JSP
     2. The argument "path" of i includes a query string which starts with '?'.
     3. The web application includes data sent from a client in the query string of ii.
   • Condition 2:
     Access restriction to specific contents in a web application is configured by one or more than one of the following means (from i to iii ).
     If access to the all of contents in a web application is restricted, this is not applicable.
     
     1. Access restriction is used in a web application according to the Servlet specification.
        Web application environment definition file(deployment descriptor: web.xml) has a security-constraint tag.
        
        Affected example: restricte access to only “Hello” by < security-constraint > tag 
          < security-constraint > 
            < web-resource-collection >
              < web-resource-name > Hello < /web-resource-name > 
              < url-pattern > /Hello.jsp < /url-pattern > 
            < /web-resource-collection > 
            < auth-constraint > 
              < role-name > Administrator < /role-name > 
            < /auth-constraint > 
          < /security-constraint >
        
        Not affected example: restrict access to all contents by < security-constraint > tag 
          < security-constraint > 
            < web-resource-collection > 
              < web-resource-name > all < /web-resource-name > 
              < url-pattern > /* < /url-pattern > 
            < /web-resource-collection >
            < auth-constraint > 
              < role-name > Administrator < /role-name > 
            < /auth-constraint > 
          < /security-constraint >
     2. Access to the URL for Servlet service applications is restricted in a web server.
        
        Affected example: The configuration file of Interstage HTTP Server as a web server(httpd.conf)
         (restrict access to only “Hello”) 
          < Location /j2eesample/hello.jsp > 
            Order deny,allow
            Deny from all
            Allow from 192.168.1.1 
          < /Location >
        
        Not affected example: restrict access to all contents 
          < Location /j2eesample > 
            Order deny,allow
            Deny from all
            Allow from 192.168.1.1 
          < /Location >
     3. Access to the specific contents in a web application is restricted in a way such as the following a or b and so on.
        
        1. Web application implements access restriction function by itself.
        2. Access restriction is done by some hardware or software on the network except a web server.

3-3. Workaround

We provide the workaround via our support representative, so please contact us.

4. Related information

This problem corresponds to the vulnerability of Apache Tomcat.

• CVE-2008-2370/ CVE-2008-5515: Tomcat information disclosure vulnerability
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515
• JVN#63832775: Apache Tomcat information disclosure vulnerability
  http://jvn.jp/en/jp/JVN63832775/index.html

5. Revision history

• October 27th, 2010 : 2nd edition. The followings were updated in "3-2. Affected products and required patch".
  • Added products listed below.
    • Interstage Application Server Enterprise Edition V9.1.0B
    • Interstage Application Server Standard-J Edition V9.1.0B
    • Interstage Application Server Enterprise Edition V9.1.0B for Windows
    • Interstage Application Server Standard-J Edition V9.1.0B for Windows
    • Interstage Application Server Enterprise Edition V9.1.0B for Linux
    • Interstage Application Server Standard-J Edition V9.1.0B for Linux
    • Interstage Studio Enterprise Edition 9.1.0B for Windows
    • Interstage Studio Standard-J Edition 9.1.0B for Windows
  • Added or Deleted target OS elements of some products.
• June 9th, 2009 : Initial release