Interstage Application Server: Vulnerable in request processing. May 17th, 2010


Notes on using this web page

1. Description

There is a vulnerability in Servlet service included in Interstage Application Server in which a specific request may be not processed properly.

Fujitsu provide security patches listed in 3 below.
Please apply them as soon as possible.

2. Impact

The specific impact depends on the implementation of the web application.
The following things may happen.

  • illegal request execution
  • information leak of other users

For the severity of this vulnerability, see JVN/IPA information in "4. Related information"(Japanese only).

3. Affected systems and corresponding action

3-1. Affected systems:

GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, FMV series, AT compatible machine

3-2. Affected products and required patch

Interstage Application Server
ProductsTarget OSPackage namePatch ID.
INTERSTAGE Application Server Enterprise Edition 3.0 (with standard encryption)Solaris 2.6, 7, 8FJSVjs2910679-19*
INTERSTAGE Application Server Enterprise Edition 3.0 (with strong encryption)Solaris 2.6, 7, 8FJSVjs2910679-19*
INTERSTAGE Application Server Standard Edition 3.0 (with standard encryption)Solaris 2.6, 7, 8FJSVjs2910675-19*
INTERSTAGE Application Server Standard Edition 3.0 (with strong encryption)Solaris 2.6, 7, 8FJSVjs2910675-19*
INTERSTAGE Application Server Enterprise Edition 4.0 (with Non Encryption)Solaris 2.6, 7, 8FJSVjs2911367-12*
INTERSTAGE Application Server Enterprise Edition 4.0 (with Strong Encryption)Solaris 2.6, 7, 8FJSVjs2911367-12*
INTERSTAGE Application Server Standard Edition 4.0 (with Non Encryption)Solaris 2.6, 7, 8FJSVjs2911368-12*
INTERSTAGE Application Server Standard Edition 4.0 (with Strong Encryption)Solaris 2.6, 7, 8FJSVjs2911368-12*
INTERSTAGE Application Server Web-J Edition4.0 (with Non Encryption)Solaris2.6, 7, 8911562-11*
INTERSTAGE Application Server Web-J Edition 4.0 (with Strong Encryption)Solaris 2.6, 7, 8FJSVjs2911562-11*
Interstage Application Server Enterprise Edition 5.0 (with Strong Encryption)Solaris 7, 8, 9FJSVjs2912193-11*
Interstage Application Server Enterprise Edition 5.0 (with Non Encryption)Solaris 7, 8, 9FJSVjs2912193-11*
Interstage Application Server Standard Edition 5.0 (with Strong Encryption)Solaris 7, 8, 9FJSVjs2912194-11*
Interstage Application Server Standard Edition 5.0 (with Non Encryption)Solaris 7, 8, 9FJSVjs2912194-11*
Interstage Application Server Web-J Edition 5.0 (with Strong Encryption)Solaris 7, 8, 9FJSVjs2912195-11*
Interstage Application Server Web-J Edition 5.0 (with Non Encryption)Solaris 7, 8, 9FJSVjs2912195-11*
Interstage Application Server Enterprise Edition 5.0.1 (with Strong Encryption)Solaris 7, 8, 9FJSVjs2*
Interstage Application Server Enterprise Edition 6.0Solaris 8, 9FJSVjs2*
Interstage Application Server Enterprise Edition 7.0Solaris 8, 9FJSVjs2*
Interstage Application Server Standard Edition 7.0Solaris 8, 9FJSVjs2*
Interstage Application Server Plus 7.0Solaris 8, 9FJSVjs2*
Interstage Application Server Enterprise Edition 7.0.1Solaris 8, 9, 10FJSVjs2*
Interstage Application Server Plus 7.0.1Solaris 8, 9, 10FJSVjs2*
INTERSTAGE Application Server Enterprise Edition V3.0 (with strong encryption) for WindowsWindows 2000 Server/ Windows NT Server 4.0F3FMjs2*
INTERSTAGE Application Server Enterprise Edition V3.0 (with standard encryption) for WindowsWindows 2000 Server/ Windows NT Server 4.0F3FMjs2*
INTERSTAGE Application Server Standard Edition V3.0 (with strong encryption) for WindowsWindows 2000 Server/ Windows NT Server 4.0F3FMjs2*
INTERSTAGE Application Server Standard Edition V3.0 (with standard encryption) for WindowsWindows 2000 Server/ Windows NT Server 4.0F3FMjs2*
INTERSTAGE Application Server Enterprise Edition V4.0 (with Strong Encryption) for WindowsWindows 2000 Server/ Windows NT Server 4.0F3FMjs2*
INTERSTAGE Application Server Enterprise Edition V4.0 (with Non Encryption) for WindowsWindows 2000 Server/ Windows NT Server 4.0F3FMjs2*
INTERSTAGE Application Server Standard Edition V4.0 (with Strong Encryption) for WindowsWindows 2000 Server/ Windows NT Server 4.0F3FMjs2*
INTERSTAGE Application Server Standard Edition V4.0 (with Non Encryption) for WindowsWindows 2000 Server/ Windows NT Server 4.0F3FMjs2*
INTERSTAGE Application Server Web-J Edition V4.0 (with Strong Encryption) for WindowsWindows 2000 Server/ Windows NT Server 4.0F3FMjs2*
INTERSTAGE Application Server Web-J Edition V4.0 (with Non Encryption) for WindowsWindows 2000 Server/ Windows NT Server 4.0F3FMjs2*
Interstage Application Server Enterprise Edition V5.0 (with Strong Encryption) for WindowsWindows 2000 Server/ Windows NT Server 4.0F3FMjs2*
Interstage Application Server Enterprise Edition V5.0 (with Non Encryption) for WindowsWindows 2000 Server/ Windows NT Server 4.0F3FMjs2*
Interstage Application Server Standard Edition V5.0 (with Non Encryption) for WindowsWindows 2000 Server/ Windows NT Server 4.0F3FMjs2*
Interstage Application Server Standard Edition V5.0 (with Strong Encryption) for WindowsWindows 2000 Server/ Windows NT Server 4.0F3FMjs2*
Interstage Application Server Web-J Edition V5.0 (with Strong Encryption) for WindowsWindows 2000 Server/ Windows NT Server 4.0F3FMjs2*
Interstage Application Server Web-J Edition V5.0 (with Non Encryption) for WindowsWindows 2000 Server/ Windows NT Server 4.0F3FMjs2*
Interstage Application Server Plus V5.0.1 for WindowsWindows 2000 Server/ Windows NT Server 4.0F3FMjs2*
Interstage Application Server Plus Developer V5.0.1 for WindowsWindows 2000 Server/ Windows NT Server 4.0/ Windows XPF3FMjs2*
Interstage Application Server Enterprise Edition V6.0 for WindowsWindows Server 2003/ Windows 2000 Server/ Windows NT Server 4.0F3FMjs2*
Interstage Application Server Plus V6.0 for WindowsWindows Server 2003/ Windows 2000 Server/ Windows NT Server 4.0F3FMjs2*
Interstage Application Server Enterprise Edition V7.0 for WindowsWindows Server 2003/ Windows 2000 ServerF3FMjs2*
Interstage Application Server Standard Edition V7.0 for WindowsWindows Server 2003/ Windows 2000 ServerF3FMjs2*
Interstage Application Server Plus V7.0 for WindowsWindows Server 2003/ Windows 2000 ServerF3FMjs2*
Interstage Application Server Enterprise Edition V7.0.1 for WindowsWindows Server 2003/ Windows 2000 ServerF3FMjs2*
Interstage Application Server Plus V7.0.1 for WindowsWindows Server 2003/ Windows 2000 ServerF3FMjs2*
INTERSTAGE Application Server Enterprise Edition 4.1 (with Non Encryption) for LinuxTurbolinux 7/ RedHat Linux 7.2FJSVjs2*
INTERSTAGE Application Server Standard Edition 4.1 (with Non Encryption) for LinuxTurbolinux 7/ RedHat Linux 7.2FJSVjs2*
INTERSTAGE Application Server Web-J Edition 4.1 (with Non Encryption) for LinuxTurbolinux 6.1/ 6.5/ 7/ RedHat Linux 7.2FJSVjs2*
Interstage Application Server Enterprise Edition V5.0 (with Strong Encryption) for LinuxTurbolinux 7FJSVjs2*
Interstage Application Server Enterprise Edition V5.0 (with Non Encryption) for LinuxTurbolinux 7FJSVjs2*
Interstage Application Server Standard Edition V5.0 (with Strong Encryption) for LinuxTurbolinux 7FJSVjs2*
Interstage Application Server Standard Edition V5.0 (with Non Encryption) for LinuxTurbolinux 7FJSVjs2*
Interstage Application Server Web-J Edition V5.0 (with Strong Encryption) for LinuxTurbolinux 7FJSVjs2*
Interstage Application Server Web-J Edition V5.0 (with Non Encryption) for LinuxTurbolinux 7FJSVjs2*
Interstage Application Server Enterprise Edition V6.0 for LinuxRHEL-AS3(x86)/ ES3(x86)FJSVjs2*
Interstage Application Server Enterprise Edition V7.0 for LinuxRHEL-AS3(x86)/ ES3(x86)FJSVjs2*
Interstage Application Server Standard Edition V7.0 for LinuxRHEL-AS3(x86)/ ES3(x86)FJSVjs2*
Interstage Application Server Plus V7.0 for LinuxRHEL-AS3(x86)/ ES3(x86)FJSVjs2*
*For the patches without ID nor link, please contact a Fujitsu system engineer or your partner(s).

Note: In the following products, this vulnerability ONLY affects the system with Servlet service which has compatiblity with version 5 and earlier. This service is set by custom install. Therefore, the system with Servlet service set by default install is NOT affected by this vulnerability.

  • Interstage Application Server V6 series-V7 series

Note: Determining the affected product

  • [V3 series-V6 series]
    • Solaris
      Ensure package information on the FJSVisas package.
        pkginfo -l FJSVisas
    • Windows
      Ensure the title of Software Release Guide.
        [Start]
          -> [Program]
            -> [Interstage]
              -> [Application Server]
                -> [Software Release Guide]
    • Linux
      Ensure package information on the FJSVisas package.
        rpm -q FJSVisas
  • [V7 series or later]
    Use the isprintvl command.
      isprintvl

3-3. Workaround

Set five minutes or more interval for the distribution beginning time of each server at the loading balancer.

4. Related information

This problem corresponds to vulnerability of Interstage Application Server. (JVN#90248889)

5. Revision history

  • May 17th, 2010 : Initial release

Top of Page