Skip to main content

Fujitsu

Global

Change 

  1. Home >
  2. Support & Downloads >
  3. Software >
  4. Security >
  5. Fujitsu Patch & TA Information >
  6. This page provides Security Information.

Interstage HTTP Server: Four Security Vulnerabilities (CVE-2009-1891/ CVE-2009-2412/ CVE-2010-1623/ CVE-2010-1452). September 22nd, 2011

Notes on using this web page

1. Description

Interstage Application Server and Interstage Studio were affected by the security vulnerabilities below:

  1. A Denial of Service (DoS) vulnerability has been confirmed in the Interstage HTTP Server content compression feature.
    This vulnerability corresponds to CVE-2009-1891.
  2. The Denial of Service (DoS) and arbitrary code execution on the Web server vulnerabilities have been confirmed in Interstage HTTP Server.
    This vulnerability corresponds to CVE-2009-2412.
  3. A Denial of Service (DoS) vulnerability has been confirmed in the Interstage HTTP Server request processing.
    This vulnerability corresponds to CVE-2010-1623.
  4. A Denial of Service (DoS) vulnerability has been confirmed in the Interstage HTTP Server WebDAV feature.
    This vulnerability corresponds to CVE-2010-1452.

Fujitsu provides security patches shown in 3.
Please apply them as soon as possible.

2. Impact

  1. A modified request sent by a remote attacker may consume large amounts of CPU time on the Web server and cause Denial of Service (DoS).
  2. A Denial of Service (DoS) attack or arbitrary code execution on the Web server may have been caused by a malicious third party.
  3. A modified request sent by a remote attacker may result in a memory leak on the Web server and cause Denial of Service (DoS).
  4. A modified request sent by a remote attacker may cause Denial of Service (DoS).

3. Affected systems and corresponding action

3-1. Affected systems:

GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, AT-compatible machine, PRIMEQUEST, SPARC Enterprise

3-2. Affected products and required patch

Interstage Application Server
Products Version Target OS Package name Patch ID.
Interstage Application Server Enterprise Edition for Windows [*1][*2] V9.0.0/ V9.0.0A Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2 F3FMihs T001001WP-06
Interstage Application Server Enterprise Edition for Windows [*1][*2] V9.1.0/ V9.1.0B Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008 F3FMihs T002174WP-04
Interstage Application Server Enterprise Edition for Windows [*1][*2] V9.2.0 Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 F3FMihs T004344WP-03
Interstage Application Server Standard-J Edition for Windows [*1][*2] V9.0.0/ V9.0.0A/ V9.0.0B Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2 F3FMihs T001001WP-06
Interstage Application Server Standard-J Edition for Windows [*1][*2] V9.1.0/ V9.1.0B Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008 F3FMihs T002174WP-04
Interstage Application Server Standard-J Edition for Windows [*1][*2] V9.2.0 Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 F3FMihs T004344WP-03
Interstage Application Server Enterprise Edition for Windows [*1][*2] V9.0.0 Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2 F3FMihs T001005IP-05
Interstage Application Server Enterprise Edition for Windows [*1][*2] V9.1.0 Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2/ Windows(IPF) Server 2008 F3FMihs T002175IP-04
Interstage Application Server Enterprise Edition for Windows [*1][*2] V9.2.0 Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2/ Windows(IPF) Server 2008 F3FMihs T004345IP-03
Interstage Application Server Standard-J Edition for Windows [*1][*2] V9.0.0 Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2 F3FMihs T001005IP-05
Interstage Application Server Standard-J Edition for Windows [*1][*2] V9.1.0 Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2/ Windows(IPF) Server 2008 F3FMihs T002175IP-04
Interstage Application Server Standard-J Edition for Windows [*1][*2] V9.2.0 Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2/ Windows(IPF) Server 2008 F3FMihs T004345IP-03
Interstage Application Server Enterprise Edition for Windows [*1][*2] V9.2.0 Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2 F3FMihs T004346XP-03
Interstage Application Server Standard-J Edition for Windows [*1][*2] V9.2.0 Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2 F3FMihs T004346XP-03
Interstage Application Server Enterprise Edition [*1] V9.0.0/ V9.0.0B Solaris 9/ 10 FJSVihs T001004SP-07
Interstage Application Server Enterprise Edition [*1] V9.1.0/ V9.1.0B Solaris 9/ 10 FJSVihs T002180SP-05
Interstage Application Server Enterprise Edition [*1] V9.2.0 Solaris 9/ 10 FJSVihs T004343SP-03
Interstage Application Server Standard-J Edition [*1] V9.0.0 Solaris 9/ 10 FJSVihs T001004SP-07
Interstage Application Server Standard-J Edition [*1] V9.1.0/ V9.1.0B Solaris 9/ 10 FJSVihs T002180SP-05
Interstage Application Server Standard-J Edition [*1] V9.2.0 Solaris 9/ 10 FJSVihs T004343SP-03
Interstage Application Server Enterprise Edition for Linux [*1] V9.0.0 RHEL-AS4(x86)/ AS4(EM64T) FJSVihs T001003LP-05
Interstage Application Server Enterprise Edition for Linux [*1] V9.1.0/ V9.1.0B RHEL-AS4(x86)/ AS4(EM64T) FJSVihs T002176LP-04
Interstage Application Server Enterprise Edition for Linux [*1] V9.2.0/ V9.3.1 RHEL-AS4(x86)/ AS4(EM64T) FJSVihs T004338LP-03
Interstage Application Server Standard-J Edition for Linux [*1] V9.0.0 RHEL-AS4(x86)/ AS4(EM64T) FJSVihs T001003LP-05
Interstage Application Server Standard-J Edition for Linux [*1] V9.1.0/ V9.1.0B RHEL-AS4(x86)/ AS4(EM64T) FJSVihs T002176LP-04
Interstage Application Server Standard-J Edition for Linux [*1] V9.2.0/ V9.3.1 RHEL-AS4(x86)/ AS4(EM64T) FJSVihs T004338LP-03
Interstage Application Server Enterprise Edition for Linux [*1] V9.0.0 RHEL5(x86)/ RHEL5(Intel64) FJSVihs T001044LP-05
Interstage Application Server Enterprise Edition for Linux [*1] V9.1.0/ V9.1.0B RHEL5(x86)/ RHEL5(Intel64) FJSVihs T002177LP-04
Interstage Application Server Enterprise Edition for Linux [*1] V9.2.0/ V9.3.1 RHEL5(x86)/ RHEL5(Intel64) FJSVihs T004339LP-03
Interstage Application Server Standard-J Edition for Linux [*1] V9.0.0 RHEL5(x86)/ RHEL5(Intel64) FJSVihs T001044LP-05
Interstage Application Server Standard-J Edition for Linux [*1] V9.1.0/ V9.1.0B RHEL5(x86)/ RHEL5(Intel64) FJSVihs T002177LP-04
Interstage Application Server Standard-J Edition for Linux [*1] V9.2.0/ V9.3.1 RHEL5(x86)/ RHEL5(Intel64) FJSVihs T004339LP-03
Interstage Application Server Enterprise Edition for Linux [*1] V9.0.0/ V9.0.0A RHEL-AS4(IPF) FJSVihs T001002QP-05
Interstage Application Server Enterprise Edition for Linux [*1] V9.1.0 RHEL-AS4(IPF) FJSVihs T002178QP-04
Interstage Application Server Enterprise Edition for Linux [*1] V9.2.0 RHEL-AS4(IPF) FJSVihs T004340QP-03
Interstage Application Server Standard-J Edition for Linux [*1] V9.0.0 RHEL-AS4(IPF) FJSVihs T001002QP-05
Interstage Application Server Standard-J Edition for Linux [*1] V9.1.0 RHEL-AS4(IPF) FJSVihs T002178QP-04
Interstage Application Server Standard-J Edition for Linux [*1] V9.2.0 RHEL-AS4(IPF) FJSVihs T004340QP-03
Interstage Application Server Enterprise Edition for Linux [*1] V9.0.0/ V9.0.0A RHEL5(IPF) FJSVihs T001043QP-05
Interstage Application Server Enterprise Edition for Linux [*1] V9.1.0 RHEL5(IPF) FJSVihs T002179QP-04
Interstage Application Server Enterprise Edition for Linux [*1] V9.2.0 RHEL5(IPF) FJSVihs T004341QP-03
Interstage Application Server Standard-J Edition for Linux [*1] V9.0.0 RHEL5(IPF) FJSVihs T001043QP-05
Interstage Application Server Standard-J Edition for Linux [*1] V9.1.0 RHEL5(IPF) FJSVihs T002179QP-04
Interstage Application Server Standard-J Edition for Linux [*1] V9.2.0 RHEL5(IPF) FJSVihs T004341QP-03
Interstage Application Server Enterprise Edition for Linux [*1] V9.2.0/ V9.3.1 RHEL5(Intel64) FJSVihs T004342LP-03
Interstage Application Server Standard-J Edition for Linux [*1] V9.2.0/ V9.3.1 RHEL5(Intel64) FJSVihs T004342LP-03
Interstage Studio
Products Version Target OS Package name Patch ID.
Interstage Studio Enterprise Edition for Windows [*1][*2] V9.0.0 Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows XP/ Windows Vista F3FMihs T001001WP-06
Interstage Studio Enterprise Edition for Windows [*1][*2] V9.1.0/ V9.1.0B Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows XP/ Windows Vista F3FMihs T002174WP-04
Interstage Studio Enterprise Edition for Windows [*1][*2] V9.2.0 Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows XP/ Windows Vista/ Windows 7 F3FMihs T004344WP-03
Interstage Studio Standard-J Edition for Windows [*1][*2] V9.0.0 Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows XP/ Windows Vista F3FMihs T001001WP-06
Interstage Studio Standard-J Edition for Windows [*1][*2] V9.1.0/ V9.1.0B Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows XP/ Windows Vista F3FMihs T002174WP-04
Interstage Studio Standard-J Edition for Windows [*1][*2] V9.2.0 Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows XP/ Windows Vista/ Windows 7 F3FMihs T004344WP-03


For the Patches, please contact a Fujitsu system engineer or your partner(s).
[*1] The effect of CVE-2009-1891/ CVE-2009-2412/ CVE-2010-1623
[*2] The effect of CVE-2010-1452

Note: Determining the affected product
To check the software version, refer to the "FUJITSU SOFTWARE RELEASE GUIDE" supplied with the product.

3-3. Workaround

None.

4. Related information

  1. CVE-2009-1891
    The mod_deflate module in Apache httpd 2.2.11 and earlier compresses large files until completion even after the associated network connection is closed, which allows remote attackers to cause a denial of service (CPU consumption).
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1891
  2. CVE-2009-2412
    Multiple integer overflows in the Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and 1.3.x allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger crafted calls to the (1) allocator_alloc or (2) apr_palloc function in memory/unix/apr_pools.c in APR; or crafted calls to the (3) apr_rmm_malloc, (4) apr_rmm_calloc, or (5) apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to buffer overflows.
    NOTE: some of these details are obtained from third party information.
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2412
  3. CVE-2010-1623
    Memory leak in the apr_brigade_split_line function in buckets/apr_brigade.c in the Apache Portable Runtime Utility library (aka APR-util) before 1.3.10, as used in the mod_reqtimeout module in the Apache HTTP Server and other software, allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors related to the destruction of an APR bucket.
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1623
  4. CVE-2010-1452
    The (1) mod_cache and (2) mod_dav modules in the Apache HTTP Server 2.2.x before 2.2.16 allow remote attackers to cause a denial of service (process crash) via a request that lacks a path.
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1452

5. Revision history

  • September 22nd, 2011: Initial release


Top of Page