Vulnerability in Interstage Application Server Single Sign-on Authentication June 23rd, 2005
This bulletin provides security information about the reports to CERT/CC, the coordination center, or detected by Fujitsu's
own examination by the published date.
Products developed by third parties may be included as subject products. Information about such third party products
may be exactly the same as provided by the
respective third party.
The contents of this bulletin are provided "AS IS" without warranties of any kind, either express or implied (including,
without limitation, any implied warranty of
merchantability, fitness for a particular purpose and non-infringement). In no event shall Fujitsu be liable for any
direct, indirect, special, incidental, consequential,
punitive, or any other damages of any kind, including, without limitation, loss of profits and loss of data incurred
by a customer arising out of, or in connection with, the
use or non-use of any information in this bulletin, even if Fujitsu has been advised of the possibility of such damages.
The information contained in this bulletin will be updated from time to time without notice. Therefore, all customers
are advised to always ascertain the latest
information. In case of redistribution of this security bulletin, the full text of this statement shall be reproduced.
| [Outline] | ||
|---|---|---|
| Problem | Vulnerability in Interstage Application Server Single Sign-on Authentication. | |
| Manufacturer | Fujitsu Limited | |
| Corresponding products | Windows | Interstage Application Server Enterprise Edition V7.0 for Windows Interstage Application Server Plus V7.0 for Windows Interstage Application Server Plus Developer V7.0 for Windows Interstage Apworks Modelers-J Edition V7.0 for Windows |
| Solaris |
Interstage Application Server Enterprise Edition 7.0 Interstage Application Server Plus 7.0 |
|
| Corresponding system | PRIMEPOWER, Sun-compatible machine, PRIMERGY, GP5000, CELSIUS, FMV, AT-compatible machine | |
| Impact | The vulnerability can be exploited as a method of attack such as phishing. | |
| Method to temporarily avoid the problem. | None | |
| Patch | Some | |
1. Background
There is a vulnerability in Interstage Application Server single sign-on authentication. This may allow an attacker to lead
a user to an unexpected website. As the result, the vulnerability can be exploited as a method of attack such as phishing.
Fujitsu provides security patches shown in 5.
Please apply them as soon as possible.
2. Range of corresponding system(s)
| Corresponding command/file | Products | Target OS |
|---|---|---|
| F3FMssoatcag.dll F3FMssomsg.dll F3FMssoutils.dll |
Interstage Application Server Enterprise Edition V7.0 for Windows | Windows |
| F3FMssoatcag.dll F3FMssomsg.dll F3FMssoutils.dll |
Interstage Application Server Plus V7.0 for Windows | Windows |
| F3FMssoatcag.dll F3FMssomsg.dll F3FMssoutils.dll |
Interstage Application Server Plus Developer V7.0 for Windows | Windows |
| F3FMssoatcag.dll F3FMssomsg.dll F3FMssoutils.dll |
Interstage Apworks Modelers-J Edition V7.0 for Windows | Windows |
| ssoatcag.so libssoutils.so |
Interstage Application Server Enterprise Edition 7.0 | Solaris |
| ssoatcag.so libssoutils.so |
Interstage Application Server Plus 7.0 | Solaris |
3. Detected problem(s)
There is a vulnerability in Interstage Application Server single sign-on authentication. This may allow an attacker to lead
a user to an unexpected website. As the result, the vulnerability can be exploited as a method of attack such as phishing.
4. Method to temporarily avoid the problem
None.
5. Patch information
| Products | Target OS | Package name | Package ID. |
|---|---|---|---|
| Interstage Application Server Enterprise Edition V7.0 for Windows | Windows | F3FMsso | TP37489* |
| Interstage Application Server Plus V7.0 for Windows | Windows | F3FMsso | TP37489* |
| Interstage Application Server Plus Developer V7.0 for Windows | Windows | F3FMsso | TP37489* |
| Interstage Apworks Modelers-J Edition V7.0 for Windows | Windows | F3FMsso | TP37489* |
| Interstage Application Server Enterprise Edition 7.0 | Solaris | FJSVssoac | T013NS-01* |
| Interstage Application Server Enterprise Edition 7.0 | Solaris | FJSVssocm | T013PS-01* |
| Interstage Application Server Plus 7.0 | Solaris | FJSVssoac | T013NS-01* |
| Interstage Application Server Plus 7.0 | Solaris | FJSVssocm | T013PS-01* |
* For the Patches without ID nor link, please contact a Fujitsu system engineer or your partner(s).
6. Revision history
- June 23rd, 2005: Initial release
