Skip to main content

Fujitsu

Global

  1. Home >
  2. Support & Downloads >
  3. Software >
  4. Security >
  5. Fujitsu Patch & TA Information >
  6. This page provides Security Information.

Interstage Application Server: Information Disclosure Vulnerabilities(CVE-2008-2370/CVE-2008-5515). October 27th, 2010


Notes on using this web page

1. Description

Information disclosure vulnerabilities are confirmed in the Servlet Service.

Fujitsu provides workaround shown in “3. Affected products and required patches.”.
Please apply them as soon as possible.

2. Impact

A remote third party can get contents and inside information included in a web application that has restricted access.

For a severity assessment of this vulnerability, see JVN and IPA information in "4. Related information" (Japanese only).

3. Affected systems and corresponding action

3-1. Affected systems:

GP7000F, PRIMEPOWER, SPARC Enterprise, PRIMERGY, GP5000, CELSIUS, FMV series, AT compatible machines, PRIMEQUEST

3-2. Affected products and required patch

Interstage Application Server
Products Target OS Package name Patch ID.
Interstage Application Server Enterprise Edition 6.0 Solaris 7, 8, 9 FJSVjs4 *
Interstage Application Server Enterprise Edition 7.0 Solaris 8, 9 FJSVjs4 *
Interstage Application Server Enterprise Edition 7.0.1 Solaris 8, 9, 10 FJSVjs4 *
Interstage Application Server Enterprise Edition V8.0.0 Solaris 9, 10 FJSVjs4 *
Interstage Application Server Enterprise Edition V8.0.2 Solaris 9, 10 FJSVjs4 *
Interstage Application Server Enterprise Edition V9.0.0 Solaris 9, 10 FJSVjs5 *
Interstage Application Server Enterprise Edition V9.0.0 Solaris 9, 10 FJSVjs4 *
Interstage Application Server Enterprise Edition V9.1.0 Solaris 9, 10 FJSVjs5 *
Interstage Application Server Enterprise Edition V9.1.0 Solaris 9, 10 FJSVjs4 *
Interstage Application Server Enterprise Edition V9.1.0B Solaris 9, 10 FJSVjs5 *
Interstage Application Server Standard-J Edition V8.0.0 Solaris 9, 10 FJSVjs4 *
Interstage Application Server Standard-J Edition V8.0.2 Solaris 9, 10 FJSVjs4 *
Interstage Application Server Standard-J Edition V9.0.0 Solaris 9, 10 FJSVjs5 *
Interstage Application Server Standard-J Edition V9.0.0 Solaris 9, 10 FJSVjs4 *
Interstage Application Server Standard-J Edition V9.1.0 Solaris 9, 10 FJSVjs5 *
Interstage Application Server Standard-J Edition V9.1.0 Solaris 9, 10 FJSVjs4 *
Interstage Application Server Standard-J Edition V9.1.0B Solaris 9, 10 FJSVjs5 *
Interstage Application Server Plus 7.0 Solaris 8, 9 FJSVjs4 *
Interstage Application Server Plus 7.0.1 Solaris 8, 9, 10 FJSVjs4 *
Interstage Application Server Enterprise Edition V6.0 for Windows Windows Server 2003/ Windows 2000 Server/ Windows NT Server 4.0 F3FMjs4 *
Interstage Application Server Enterprise Edition V7.0 for Windows Windows Server 2003/ Windows 2000 Server F3FMjs4 *
Interstage Application Server Enterprise Edition V7.0.1 for Windows Windows Server 2003/ Windows 2000 Server F3FMjs4 *
Interstage Application Server Enterprise Edition V8.0.0 for Windows Windows Server 2003/ Windows 2000 Server F3FMjs4 *
Interstage Application Server Enterprise Edition V8.0.1 for Windows Windows Server 2003/ Windows 2000 Server F3FMjs4 *
Interstage Application Server Enterprise Edition V8.0.2 for Windows Windows Server 2003/ Windows 2000 Server F3FMjs4 *
Interstage Application Server Enterprise Edition V9.0.0 for Windows Windows Server 2003/ Windows 2000 Server F3FMjs5 *
Interstage Application Server Enterprise Edition V9.0.0 for Windows Windows Server 2003/ Windows 2000 Server F3FMjs4 *
Interstage Application Server Enterprise Edition V9.0.0A for Windows Windows Server 2003/ Windows 2000 Server F3FMjs5 *
Interstage Application Server Enterprise Edition V9.0.0A for Windows Windows Server 2003/ Windows 2000 Server F3FMjs4 *
Interstage Application Server Enterprise Edition V9.1.0 for Windows Windows Server 2008/ Windows Server 2003/ Windows 2000 Server F3FMjs5 *
Interstage Application Server Enterprise Edition V9.1.0 for Windows Windows Server 2008/ Windows Server 2003/ Windows 2000 Server F3FMjs4 *
Interstage Application Server Enterprise Edition V9.1.0B for Windows Windows Server 2008/ Windows Server 2003/ Windows 2000 Server F3FMjs5 *
Interstage Application Server Standard-J Edition V8.0.0 for Windows Windows Server 2003/ Windows 2000 Server F3FMjs4 *
Interstage Application Server Standard-J Edition V8.0.1 for Windows Windows Server 2003/ Windows 2000 Server F3FMjs4 *
Interstage Application Server Standard-J Edition V8.0.2 for Windows Windows Server 2003/ Windows 2000 Server F3FMjs4 *
Interstage Application Server Standard-J Edition V9.0.0 for Windows Windows Server 2003/ Windows 2000 Server F3FMjs5 *
Interstage Application Server Standard-J Edition V9.0.0 for Windows Windows Server 2003/ Windows 2000 Server F3FMjs4 *
Interstage Application Server Standard-J Edition V9.0.0A for Windows Windows Server 2003/ Windows 2000 Server F3FMjs5 *
Interstage Application Server Standard-J Edition V9.0.0A for Windows Windows Server 2003/ Windows 2000 Server F3FMjs4 *
Interstage Application Server Standard-J Edition V9.1.0 for Windows Windows Server 2008/ Windows Server 2003/ Windows 2000 Server F3FMjs5 *
Interstage Application Server Standard-J Edition V9.1.0 for Windows Windows Server 2008/ Windows Server 2003/ Windows 2000 Server F3FMjs4 *
Interstage Application Server Standard-J Edition V9.1.0B for Windows Windows Server 2008/ Windows Server 2003/ Windows 2000 Server F3FMjs5 *
Interstage Application Server Plus V6.0 for Windows Windows Server 2003/ Windows 2000 Server/ Windows NT Server 4.0 F3FMjs4 *
Interstage Application Server Plus V7.0 for Windows Windows Server 2003/ Windows 2000 Server F3FMjs4 *
Interstage Application Server Plus V7.0.1 for Windows Windows Server 2003/ Windows 2000 Server F3FMjs4 *
Interstage Application Server Plus Developer V6.0 for Windows Windows Server 2003/ Windows 2000 Server/ Windows NT Server 4.0/ Windows XP F3FMjs4 *
Interstage Application Server Plus Developer V7.0 for Windows Windows Server 2003/ Windows 2000 Server/ Windows XP F3FMjs4 *
Interstage Application Server Enterprise Edition V8.0.0 for Windows Windows Server 2003(IPF) F3FMjs4 *
Interstage Application Server Enterprise Edition V9.0.0 for Windows Windows Server 2003(IPF) F3FMjs5 *
Interstage Application Server Enterprise Edition V9.0.0 for Windows Windows Server 2003(IPF) F3FMjs4 *
Interstage Application Server Enterprise Edition V9.1.0 for Windows Windows Server 2008(IPF)/ Windows Server 2003(IPF) F3FMjs5 *
Interstage Application Server Enterprise Edition V9.1.0 for Windows Windows Server 2008(IPF)/ Windows Server 2003(IPF) F3FMjs4 *
Interstage Application Server Standard-J Edition V9.0.0 for Windows Windows Server 2003(IPF) F3FMjs5 *
Interstage Application Server Standard-J Edition V9.0.0 for Windows Windows Server 2003(IPF) F3FMjs4 *
Interstage Application Server Standard-J Edition V9.1.0 for Windows Windows Server 2008(IPF)/ Windows Server 2003(IPF) F3FMjs5 *
Interstage Application Server Standard-J Edition V9.1.0 for Windows Windows Server 2008(IPF)/ Windows Server 2003(IPF) F3FMjs4 *
Interstage Application Server Enterprise Edition V6.0 for Linux RHEL-AS3(x86)/ ES3(x86) FJSVjs4 *
Interstage Application Server Enterprise Edition V7.0 for Linux RHEL-AS3(x86)/ ES3(x86) FJSVjs4 *
Interstage Application Server Enterprise Edition V7.0.1 for Linux RHEL-AS3(x86)/ ES3(x86) FJSVjs4 *
Interstage Application Server Enterprise Edition V8.0.0 for Linux RHEL-AS4(x86)/ AS4(EM64T) FJSVjs4 *
Interstage Application Server Enterprise Edition V8.0.2 for Linux RHEL-AS4(x86)/ AS4(EM64T) FJSVjs4 *
Interstage Application Server Enterprise Edition V9.0.0 for Linux RHEL-AS4(x86)/ AS4(EM64T) FJSVjs5 *
Interstage Application Server Enterprise Edition V9.0.0 for Linux RHEL5(x86)/ RHEL5(Intel64) FJSVjs5 *
Interstage Application Server Enterprise Edition V9.0.0 for Linux RHEL-AS4(x86)/ AS4(EM64T) FJSVjs4 *
Interstage Application Server Enterprise Edition V9.1.0 for Linux RHEL-AS4(x86)/ AS4(EM64T) FJSVjs5 *
Interstage Application Server Enterprise Edition V9.1.0 for Linux RHEL5(x86)/ RHEL5(Intel64) FJSVjs5 *
Interstage Application Server Enterprise Edition V9.1.0 for Linux RHEL-AS4(x86)/ AS4(EM64T) FJSVjs4 *
Interstage Application Server Enterprise Edition V9.1.0B for Linux RHEL-AS4(x86)/ AS4(EM64T) FJSVjs5 *
Interstage Application Server Enterprise Edition V9.1.0B for Linux RHEL5(x86)/ RHEL5(Intel64) FJSVjs5 *
Interstage Application Server Standard-J Edition V8.0.0 for Linux RHEL-AS4(x86)/ AS4(EM64T) FJSVjs4 *
Interstage Application Server Standard-J Edition V8.0.2 for Linux RHEL-AS4(x86)/ AS4(EM64T) FJSVjs4 *
Interstage Application Server Standard-J Edition V9.0.0 for Linux RHEL-AS4(x86)/ AS4(EM64T) FJSVjs5 *
Interstage Application Server Standard-J Edition V9.0.0 for Linux RHEL5(x86)/ RHEL5(Intel64) FJSVjs5 *
Interstage Application Server Standard-J Edition V9.0.0 for Linux RHEL-AS4(x86)/ AS4(EM64T) FJSVjs4 *
Interstage Application Server Standard-J Edition V9.1.0 for Linux RHEL-AS4(x86)/ AS4(EM64T) FJSVjs5 *
Interstage Application Server Standard-J Edition V9.1.0 for Linux RHEL5(x86)/ RHEL5(Intel64) FJSVjs5 *
Interstage Application Server Standard-J Edition V9.1.0 for Linux RHEL-AS4(x86)/ AS4(EM64T) FJSVjs4 *
Interstage Application Server Standard-J Edition V9.1.0B for Linux RHEL-AS4(x86)/ AS4(EM64T) FJSVjs5 *
Interstage Application Server Standard-J Edition V9.1.0B for Linux RHEL5(x86)/ RHEL5(Intel64) FJSVjs5 *
Interstage Application Server Plus V7.0 for Linux RHEL-AS3(x86)/ ES3(x86) FJSVjs4 *
Interstage Application Server Plus V7.0.1 for Linux RHEL-AS3(x86)/ ES3(x86) FJSVjs4 *
Interstage Application Server Enterprise Edition V7.0 for Linux RHEL-AS4(IPF) FJSVjs4 *
Interstage Application Server Enterprise Edition V8.0.0 for Linux RHEL-AS4(IPF) FJSVjs4 *
Interstage Application Server Enterprise Edition V8.0.1 for Linux RHEL-AS4(IPF) FJSVjs4 *
Interstage Application Server Enterprise Edition V8.0.2 for Linux RHEL-AS4(IPF) FJSVjs4 *
Interstage Application Server Enterprise Edition V9.0.0 for Linux RHEL-AS4(IPF) FJSVjs5 *
Interstage Application Server Enterprise Edition V9.0.0 for Linux RHEL5(IPF) FJSVjs5 *
Interstage Application Server Enterprise Edition V9.0.0 for Linux RHEL-AS4(IPF) FJSVjs4 *
Interstage Application Server Enterprise Edition V9.0.0A for Linux RHEL-AS4(IPF) FJSVjs5 *
Interstage Application Server Enterprise Edition V9.0.0A for Linux RHEL5(IPF) FJSVjs5 *
Interstage Application Server Enterprise Edition V9.0.0A for Linux RHEL-AS4(IPF) FJSVjs4 *
Interstage Application Server Enterprise Edition V9.1.0 for Linux RHEL-AS4(IPF) FJSVjs5 *
Interstage Application Server Enterprise Edition V9.1.0 for Linux RHEL5(IPF) FJSVjs5 *
Interstage Application Server Enterprise Edition V9.1.0 for Linux RHEL-AS4(IPF) FJSVjs4 *
Interstage Application Server Standard-J Edition V9.0.0 for Linux RHEL-AS4(IPF) FJSVjs5 *
Interstage Application Server Standard-J Edition V9.0.0 for Linux RHEL5(IPF) FJSVjs5 *
Interstage Application Server Standard-J Edition V9.0.0 for Linux RHEL-AS4(IPF) FJSVjs4 *
Interstage Application Server Standard-J Edition V9.1.0 for Linux RHEL-AS4(IPF) FJSVjs5 *
Interstage Application Server Standard-J Edition V9.1.0 for Linux RHEL5(IPF) FJSVjs5 *
Interstage Application Server Standard-J Edition V9.1.0 for Linux RHEL-AS4(IPF) FJSVjs4 *
Interstage Apworks/Studio
Products Target OS Package name Patch ID.
Interstage Apworks Modelers-J Edition V6.0 for Windows Windows 2000 Server/ Windows XP F3FMjs4 *
Interstage Apworks Modelers-J Edition V6.0A for Windows Windows 2000 Server/ Windows XP F3FMjs4 *
Interstage Apworks Modelers-J Edition V7.0 for Windows Windows Server 2003/ Windows 2000 Server/ Windows XP F3FMjs4 *
Interstage Studio Enterprise Edition 8.0.1 for Windows Windows Server 2003/ Windows 2000 Server/ Windows XP F3FMjs4 *
Interstage Studio Enterprise Edition 9.0.0 for Windows Windows Server 2003/ Windows 2000 Server/ Windows XP/ Windows Vista F3FMjs5 *
Interstage Studio Enterprise Edition 9.1.0 for Windows Windows Server 2008/ Windows Server 2003/ Windows 2000 Server/ Windows XP/ Windows Vista F3FMjs5 *
Interstage Studio Enterprise Edition 9.1.0B for Windows Windows Server 2008/ Windows Server 2003/ Windows 2000 Server/ Windows XP/ Windows Vista F3FMjs5 *
Interstage Studio Standard-J Edition 8.0.1 for Windows Windows Server 2003/ Windows 2000 Server/ Windows XP F3FMjs4 *
Interstage Studio Standard-J Edition 9.0.0 for Windows Windows Server 2003/ Windows 2000 Server/ Windows XP/ Windows Vista F3FMjs5 *
Interstage Studio Standard-J Edition 9.1.0 for Windows Windows Server 2008/ Windows Server 2003/ Windows 2000 Server/ Windows XP/ Windows Vista F3FMjs5 *
Interstage Studio Standard-J Edition 9.1.0B for Windows Windows Server 2008/ Windows Server 2003/ Windows 2000 Server/ Windows XP/ Windows Vista F3FMjs5 *
Interstage Business Application Server
Products Target OS Package name Patch ID.
Interstage Business Application Server Enterprise Edition 8.0.0 for Linux RHEL-AS4(IPF) FJSVjs4 *
Interstage Job Workload Server
Products Target OS Package name Patch ID.
Interstage Job Workload Server 8.1.0 for Linux RHEL-AS4(IPF) FJSVjs4 *


* For the patches without ID nor link, please contact a Fujitsu system engineer or your partner(s).


Note: Determining the affected product

  1. Determining the version and level of the product
    • [V6 series]
      • Solaris
        To see package information on the FJSVisas package, please execute the following command:
          pkginfo -l FJSVisas
      • Windows
        See the title in the Software Release Guide.
          [Start]
            -> [Programs]
              -> [Interstage]
                -> [Application Server | Apworks]
                  -> [Software Release Guide]
      • Linux
        To see package information on the FJSVisas package, please execute the following command:
          rpm -q FJSVisas
    • [V7 series or later]
      • Use the isprintvl command.
          isprintvl
  2. Determining the affected web applications
    Whether a web application is affected by the vulnerabilities depends on the application setting.

    If the "Condition 1" is not satisfied, your system is not affected by the vulnerabilities.
    If only the "Condition 1" is satisfied or both "Condition 1" and "Condition 2" are satisfied, please contact our support representative for the workaround.
    • Condition 1: All of the following conditions are satisfied.
      1. A web application invokes one of the following Servlet APIs or JSP Actions:
        • The forward or include method of the object gotten by javax.servlet.ServletContext#getRequestDispatcher(path)
        • The forward or include method of the object gotten by javax.servlet.ServletRequest#getRequestDispatcher(path)
        • <jsp:forward page="path"> action of JSP
        • <jsp:include page="path"> action of JSP
      2. The argument "path" of i includes a query string which starts with '?'.
      3. The web application includes data sent from a client in the query string of ii.
    • Condition 2:
      Access restriction to specific contents in a web application is configured by one or more than one of the following means (from i to iii ).
      If access to the all of contents in a web application is restricted, this is not applicable.
      1. Access restriction is used in a web application according to the Servlet specification.
        Web application environment definition file(deployment descriptor: web.xml) has a security-constraint tag.

        Affected example: restricte access to only “Hello” by <security-constraint> tag
          <security-constraint>
            <web-resource-collection>
              <web-resource-name>Hello</web-resource-name>
              <url-pattern>/Hello.jsp</url-pattern>
            </web-resource-collection>
            <auth-constraint>
              <role-name>Administrator</role-name>
            </auth-constraint>
          </security-constraint>

        Not affected example: restrict access to all contents by <security-constraint> tag
          <security-constraint>
            <web-resource-collection>
              <web-resource-name>all</web-resource-name>
              <url-pattern>/*</url-pattern>
            </web-resource-collection>
            <auth-constraint>
              <role-name>Administrator</role-name>
            </auth-constraint>
          </security-constraint>
      2. Access to the URL for Servlet service applications is restricted in a web server.

        Affected example: The configuration file of Interstage HTTP Server as a web server(httpd.conf)
         (restrict access to only “Hello”)
          <Location /j2eesample/hello.jsp>
            Order deny,allow
            Deny from all
            Allow from 192.168.1.1
          </Location>

        Not affected example: restrict access to all contents
          <Location /j2eesample>
            Order deny,allow
            Deny from all
            Allow from 192.168.1.1
          </Location>
      3. Access to the specific contents in a web application is restricted in a way such as the following a or b and so on.
        1. Web application implements access restriction function by itself.
        2. Access restriction is done by some hardware or software on the network except a web server.

3-3. Workaround

We provide the workaround via our support representative, so please contact us.

4. Related information

This problem corresponds to the vulnerability of Apache Tomcat.

5. Revision history

  • October 27th, 2010 : 2nd edition. The followings were updated in "3-2. Affected products and required patch".
    • Added products listed below.
      • Interstage Application Server Enterprise Edition V9.1.0B
      • Interstage Application Server Standard-J Edition V9.1.0B
      • Interstage Application Server Enterprise Edition V9.1.0B for Windows
      • Interstage Application Server Standard-J Edition V9.1.0B for Windows
      • Interstage Application Server Enterprise Edition V9.1.0B for Linux
      • Interstage Application Server Standard-J Edition V9.1.0B for Linux
      • Interstage Studio Enterprise Edition 9.1.0B for Windows
      • Interstage Studio Standard-J Edition 9.1.0B for Windows
    • Added or Deleted target OS elements of some products.
  • June 9th, 2009 : Initial release