Cross-site scripting (XSS) vulnerability in Interstage HTTP Server January 18th, 2008
1. Background and Detected problem(s)
The following security vulnerability has been confirmed in the Interstage HTTP Server which is bundled with Interstage Application Server, Interstage Apworks and Interstage Studio.
Cross Site Scripting (XSS) vulnerability on receiving an invalid HTTP request.
This corresponds to CVE-2006-3918.
Fujitsu provides security patches shown in 3.
Please apply them as soon as possible.
2. Method to temporarily avoid the problem
In order to avoid execution of a script on a client, set the ErrorDocument Directive in the environment file (httpd.conf) to use a fixed error message for an error page corresponding to status code '417'.
Example: ErrorDocument 417 "Expectation Failed.
3. Corresponding system and Patch information
Corresponding system : GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, FMV, PRIMEQUEST
| Products | Target OS | Package name | Patch ID. |
|---|---|---|---|
| Interstage Application Server Enterprise Edition V5.0 for Windows | Windows | F3FMihs | TP09615 |
| Interstage Application Server Standard Edition V5.0 for Windows | Windows | F3FMihs | TP09615 |
| Interstage Application Server Web-J Edition V5.0 for Windows | Windows | F3FMihs | TP09615 |
| Interstage Application Server Plus V5.0.1 for Windows | Windows | F3FMihs | - |
| Interstage Application Server Plus Developer V5.0.1 for Windows | Windows | F3FMihs | - |
| Interstage Application Server Enterprise Edition V6.0 for Windows | Windows | F3FMihs | - |
| Interstage Application Server Plus V6.0 for Windows | Windows | F3FMihs | - |
| Interstage Application Server Plus Developer V6.0 for Windows | Windows | F3FMihs | - |
| Interstage Application Server Enterprise Edition V7.0 for Windows | Windows | F3FMihs | TP39615 |
| Interstage Application Server Plus V7.0 for Windows | Windows | F3FMihs | TP39615 |
| Interstage Application Server Plus Developer V7.0 for Windows | Windows | F3FMihs | TP39615 |
| Interstage Application Server Enterprise Edition V7.0.1 for Windows | Windows | F3FMihs | TP39615 |
| Interstage Application Server Plus V7.0.1 for Windows | Windows | F3FMihs | TP39615 |
| Interstage Application Server Enterprise Edition 8.0.0 for Windows | Windows | F3FMihs | - |
| Interstage Application Server Standard-J Edition 8.0.0 for Windows | Windows | F3FMihs | - |
| Interstage Application Server Enterprise Edition 8.0.1 for Windows | Windows | F3FMihs | - |
| Interstage Application Server Standard-J Edition 8.0.1 for Windows | Windows | F3FMihs | - |
| Interstage Application Server Enterprise Edition 8.0.2 for Windows | Windows | F3FMihs | - |
| Interstage Application Server Standard-J Edition 8.0.2 for Windows | Windows | F3FMihs | - |
| Interstage Apworks Modelers-J Edition V6.0 for Windows | Windows | F3FMihs | - |
| Interstage Apworks Modelers-J Edition V6.0A for Windows | Windows | F3FMihs | - |
| Interstage Apworks Modelers-J Edition V7.0 for Windows | Windows | F3FMihs | TP39615 |
| Interstage Apworks Enterprise Edition 8.0.0 for Windows | Windows | F3FMihs | - |
| Interstage Apworks Standard-J Edition 8.0.0 for Windows | Windows | F3FMihs | - |
| Interstage Studio Enterprise Edition 8.0.1 for Windows | Windows | F3FMihs | - |
| Interstage Studio Standard-J Edition 8.0.1 for Windows | Windows | F3FMihs | - |
| Interstage Application Server Enterprise Edition 5.0 | Solaris | FJSVihs | 912327-10 |
| Interstage Application Server Standard Edition 5.0 | Solaris | FJSVihs | 912327-10 |
| Interstage Application Server Web-J Edition 5.0 | Solaris | FJSVihs | 912327-10 |
| Interstage Application Server Enterprise Edition 5.0.1 | Solaris | FJSVihs | - |
| Interstage Application Server Enterprise Edition 6.0 | Solaris | FJSVihs | T0103S-06 |
| Interstage Application Server Enterprise Edition 7.0 | Solaris | FJSVihs | T013RS-05 |
| Interstage Application Server Plus 7.0 | Solaris | FJSVihs | T013RS-05 |
| Interstage Application Server Enterprise Edition 7.0.1 | Solaris | FJSVihs | T023AS-04 |
| Interstage Application Server Plus 7.0.1 | Solaris | FJSVihs | T023AS-04 |
| Interstage Application Server Enterprise Edition 8.0.0 | Solaris | FJSVihs | - |
| Interstage Application Server Standard-J Edition 8.0.0 | Solaris | FJSVihs | - |
| Interstage Application Server Enterprise Edition 8.0.2 | Solaris | FJSVihs | - |
| Interstage Application Server Standard-J Edition 8.0.2 | Solaris | FJSVihs | - |
| Interstage Application Server Enterprise Edition V5.0 | Turbolinux 7 Server | FJSVihs | T00019-09 |
| Interstage Application Server Standard Edition V5.0 | Turbolinux 7 Server | FJSVihs | T00019-09 |
| Interstage Application Server Web-J Edition V5.0 | Turbolinux 7 Server | FJSVihs | T00019-09 |
| Interstage Application Server Enterprise Edition V6.0 | RHEL-AS3(x86)/ES3(x86) | FJSVihs | - |
| Interstage Application Server Enterprise Edition V7.0 | RHEL-AS3(x86)/ES3(x86) | FJSVihs | T00603-04 |
| Interstage Application Server Plus V7.0 | RHEL-AS3(x86)/ES3(x86) | FJSVihs | T00603-04 |
| Interstage Application Server Enterprise Edition V7.0.1 | RHEL-AS3(x86)/ES3(x86)/AS4(x86) | FJSVihs | T00603-04 |
| Interstage Application Server Plus V7.0.1 | RHEL-AS3(x86)/ES3(x86)/AS4(x86) | FJSVihs | T00603-04 |
| Interstage Application Server Enterprise Edition 8.0.0 | RHEL-AS4(x86)/AS4(EM64T) | FJSVihs | - |
| Interstage Application Server Standard-J Edition 8.0.0 | RHEL-AS4(x86)/AS4(EM64T) | FJSVihs | - |
| Interstage Application Server Enterprise Edition 8.0.2 | RHEL-AS4(x86)/AS4(EM64T) | FJSVihs | - |
| Interstage Application Server Standard-J Edition 8.0.2 | RHEL-AS4(x86)/AS4(EM64T) | FJSVihs | - |
| Interstage Application Server Enterprise Edition V7.0 | RHEL-AS4(IPF) | FJSVihs | - |
| Interstage Application Server Enterprise Edition 8.0.0 | RHEL-AS4(IPF) | FJSVihs | - |
| Interstage Application Server Enterprise Edition 8.0.1 | RHEL-AS4(IPF) | FJSVihs | - |
| Interstage Application Server Enterprise Edition 8.0.2 | RHEL-AS4(IPF) | FJSVihs | - |
| Interstage Business Application Server Enterprise Edition 8.0.0 | RHEL-AS4(IPF) | FJSVihs | - |
| Interstage Job Workload Server 8.1.0 | RHEL-AS4(IPF) | FJSVihs | - |
For the Patches without ID or link, please contact a Fujitsu system engineer.
4. Revision history
- January 18th, 2008 :
- The following products have been added to "3. Corresponding system and Patch information":
- Interstage Business Application Server Enterprise Edition 8.0.0 RHEL-AS4(IPF)
- Interstage Job Workload Server 8.1.0 RHEL-AS4(IPF) - Stopped and Corrected patch ID in "3. Corresponding system and Patch information"
Defects were found in patches that were released in the 2nd edition, so the release was stopped. Patches in which defects were found are shown in "Patch ID." of "3. Corresponding system and Patch information".
The table below maps the patch for which release was stopped and the corrected version of the defective patch.
- The following products have been added to "3. Corresponding system and Patch information":
| Patch for which release was stopped | Corrected version of defective patch |
|---|---|
| TP08940 | TP09615 |
| TP38940 | TP39615 |
| 912327-09 | 912327-10 |
| T0103S-05 | T0103S-06 |
| T013RS-04 | T013RS-05 |
| T023AS-02 | T023AS-04 |
| T00019-08 | T00019-09 |
| T00603-03 | T00603-04 |
- February 6th, 2007 : Added patch ID in "3. Corresponding system and Patch information"
- October 12th, 2006 : Initial release
