Interstage Application Server: Vulnerability may allow access from a non-permitted IP address. November 30th, 2010
1. Description
When the access is restricted by IP address, the request from a non-permitted IP address may be accepted.
2. Impact
Though a specific impact depends on a system function, there is a possibility of information disclosure because the request from an unauthorized client may be acceptted.
3. Affected systems and corresponding action
3-1. Affected systems:
GP7000F, PRIMEPOWER, SPARC Enterprise, PRIMERGY, GP5000, CELSIUS, FMV series, AT compatible machines, PRIMEQUEST
3-2. Affected products and required patch
| Products | Version | Target OS | Package name | Patch ID. |
|---|---|---|---|---|
| Interstage Application Server Enterprise Edition | 6.0 | Solaris 7/ 8/ 9 | FJSVjs4 | None* |
| Interstage Application Server Enterprise Edition | 7.0 | Solaris 8/ 9 | FJSVjs4 | None* |
| Interstage Application Server Enterprise Edition | 7.0.1 | Solaris 8/ 9/ 10 | FJSVjs4 | None* |
| Interstage Application Server Enterprise Edition | V8.0.0 | Solaris 9/ 10 | FJSVjs4 | None* |
| Interstage Application Server Enterprise Edition | V8.0.2 | Solaris 9/ 10 | FJSVjs4 | None* |
| Interstage Application Server Standard-J Edition | V8.0.0 | Solaris 9/ 10 | FJSVjs4 | None* |
| Interstage Application Server Standard-J Edition | V8.0.2 | Solaris 9/ 10 | FJSVjs4 | None* |
| Interstage Application Server Plus | 7.0 | Solaris 8/ 9 | FJSVjs4 | None* |
| Interstage Application Server Plus | 7.0.1 | Solaris 8/ 9/ 10 | FJSVjs4 | None* |
| Interstage Application Server Enterprise Edition for Windows | V6.0 | Windows Server 2003/ Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs4 | None* |
| Interstage Application Server Enterprise Edition for Windows | V7.0 | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | None* |
| Interstage Application Server Enterprise Edition for Windows | V7.0.1 | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | None* |
| Interstage Application Server Enterprise Edition for Windows | V8.0.0 | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | None* |
| Interstage Application Server Enterprise Edition for Windows | V8.0.1 | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | None* |
| Interstage Application Server Enterprise Edition for Windows | V8.0.2 | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | None* |
| Interstage Application Server Enterprise Edition for Windows | V9.0.0 | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | None* |
| Interstage Application Server Enterprise Edition for Windows | V9.0.0A | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | None* |
| Interstage Application Server Standard-J Edition for Windows | V8.0.0 | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | None* |
| Interstage Application Server Standard-J Edition for Windows | V8.0.1 | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | None* |
| Interstage Application Server Standard-J Edition for Windows | V8.0.2 | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | None* |
| Interstage Application Server Standard-J Edition for Windows | V9.0.0 | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | None* |
| Interstage Application Server Standard-J Edition for Windows | V9.0.0A | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | None* |
| Interstage Application Server Plus for Windows | V6.0 | Windows Server 2003/ Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs4 | None* |
| Interstage Application Server Plus for Windows | V7.0 | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | None* |
| Interstage Application Server Plus for Windows | V7.0.1 | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | None* |
| Interstage Application Server Plus Developer for Windows | V6.0 | Windows Server 2003/ Windows 2000 Server/ Windows XP/ Windows NT Server 4.0 | F3FMjs4 | None* |
| Interstage Application Server Plus Developer for Windows | V7.0 | Windows Server 2003/ Windows 2000 Server/ Windows XP | F3FMjs4 | None* |
| Interstage Application Server Enterprise Edition for Windows | V8.0.0 | Windows Server 2003(IPF) | F3FMjs4 | None* |
| Interstage Application Server Enterprise Edition for Linux | V6.0 | RHEL-AS3(x86)/ ES3(x86) | FJSVjs4 | None* |
| Interstage Application Server Enterprise Edition for Linux | V7.0 | RHEL-AS3(x86)/ ES3(x86) | FJSVjs4 | None* |
| Interstage Application Server Enterprise Edition for Linux | V7.0.1 | RHEL-AS3(x86)/ ES3(x86) | FJSVjs4 | None* |
| Interstage Application Server Enterprise Edition for Linux | V8.0.0 | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | None* |
| Interstage Application Server Enterprise Edition for Linux | V8.0.2 | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | None* |
| Interstage Application Server Standard-J Edition for Linux | V8.0.0 | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | None* |
| Interstage Application Server Standard-J Edition for Linux | V8.0.2 | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | None* |
| Interstage Application Server Plus for Linux | V7.0 | RHEL-AS3(x86)/ ES3(x86) | FJSVjs4 | None* |
| Interstage Application Server Plus for Linux | V7.0.1 | RHEL-AS3(x86)/ ES3(x86) | FJSVjs4 | None* |
| Interstage Application Server Enterprise Edition for Linux | V7.0 | RHEL-AS4(IPF) | FJSVjs4 | None* |
| Interstage Application Server Enterprise Edition for Linux | V8.0.0 | RHEL-AS4(IPF) | FJSVjs4 | None* |
| Interstage Application Server Enterprise Edition for Linux | V8.0.1 | RHEL-AS4(IPF) | FJSVjs4 | None* |
| Interstage Application Server Enterprise Edition for Linux | V8.0.2 | RHEL-AS4(IPF) | FJSVjs4 | None* |
| Products | Version | Target OS | Package name | Patch ID. |
|---|---|---|---|---|
| Interstage Apworks Modelers-J Edition for Windows | V6.0 | Windows 2000 Server/ Windows XP | F3FMjs4 | None* |
| Interstage Apworks Modelers-J Edition for Windows | V6.0A | Windows 2000 Server/ Windows XP | F3FMjs4 | None* |
| Interstage Apworks Modelers-J Edition for Windows | V7.0 | Windows Server 2003/ Windows 2000 Server/ Windows XP | F3FMjs4 | None* |
| Interstage Studio Enterprise Edition for Windows | 8.0.1 | Windows Server 2003/ Windows 2000 Server/ Windows XP | F3FMjs4 | None* |
| Interstage Studio Standard-J Edition for Windows | 8.0.1 | Windows Server 2003/ Windows 2000 Server/ Windows XP | F3FMjs4 | None* |
| Products | Version | Target OS | Package name | Patch ID. |
|---|---|---|---|---|
| Interstage Business Application Server Enterprise Edition for Linux | 8.0.0 | RHEL-AS4(IPF) | FJSVjs4 | None* |
| Products | Version | Target OS | Package name | Patch ID. |
|---|---|---|---|---|
| Interstage Job Workload Server for Linux | 8.1.0 | RHEL-AS4(IPF) | FJSVjs4 | None* |
* For the solution, please refer to "3-3. Workaround".
Note: Determining the affected product
- [V6 series]
- Solaris
To see package information on the FJSVisas package, the following command can be run:
pkginfo -l FJSVisas - Windows
See the title in the Software Release Guide.
[Start]
-> [Program]
-> [Interstage]
-> [Application Server | Apworks]
-> [Software Release Guide] - Linux
To see package information on the FJSVisas package, the following command can be run:
rpm -q FJSVisas
- Solaris
- [V7 series or later]
Use the isprintvl command.
isprintvl
3-3. Workaround
Adopt security measures against requests from invalid IP addresses or invalid requests accessing to Servlet container ports directly. The security measures are done by a firewall and so on.
Specifically, connections to Servlet container ports should be rejected except for the request from Web server (Web server connector). Security measures against internal threats that are connections to Servlet container ports from intranet should also be done robustly by system configurations and operations.
4. Related information
None.
5. Revision history
- November 30th, 2010: 2nd release
- In "3. Corresponding system and Patch information", "Patch ID" was changed to "None".
- "3-3. Workaround" was added.
- November 19th, 2010: Initial release
