Skip to main content

Fujitsu

Global

  1. Home >
  2. Support & Downloads >
  3. Software >
  4. Security >
  5. Fujitsu Patch & TA Information >
  6. This page provides Security Information.

Interstage HTTP Server: Two Security Vulnerabilities (CVE-2011-3368/ CVE-2011-0419). November 26th, 2013


Notes on using this web page

1. Description

  1. The following vulnerability has been confirmed when the host uses the Interstage HTTP Server reverse proxy feature: Remote access to an optional host may be allowed.
    This vulnerability corresponds to CVE-2011-3368.

    However, unless the following conditions apply, Interstage HTTP Server is not affected by this vulnerability:
    1. The reverse proxy feature is initiated by the "[P]" flag of the RewriteRule directive in the configuration file (httpd.conf), and
    2. $N (N: a numeric value between 1 and 9) is specified just after the connection destination host name (Example: images.example.com) used by the reverse proxy feature.

      Example: RewriteRule (.*)\.(jpg|gif|png) http://images.example.com$1.$2 [P]
  2. A Denial of Service (DoS) vulnerability has been confirmed in the Interstage HTTP Server directory list automatic generation feature.
    This vulnerability corresponds to CVE-2011-0419.

    However, unless the following conditions apply, Interstage HTTP Server is not affected by this vulnerability:
    1. "Indexes" is set for the Options directive in the configuration file (httpd.conf), and
    2. "IgnoreClient" is not set for the IndexOptions directive in the configuration file (httpd.conf), and
    3. In the content posted on Interstage HTTP Server, there are files with long file names (approximately 50 bytes or greater).

Fujitsu provides security patches shown in 3.
Please apply them as soon as possible.

2. Impact

  1. Illegal host access may occur because of a modified request that was sent by a remote attacker.
  2. A modified request sent by a remote attacker may consume large amounts of CPU time on the Web server and cause Denial of Service (DoS).

3. Affected systems and corresponding action

3-1. Affected systems:

GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, AT-compatible machine, PRIMEQUEST, SPARC Enterprise

3-2. Affected products and required patch

Interstage Application Server
Products Version Target OS Package name Patch ID.
Interstage Application Server Enterprise Edition for Windows [*a] V5.0 Windows NT4.0/ Windows 2000 Server F3FMihs None*
Interstage Application Server Enterprise Edition for Windows [*a] V6.0 Windows NT4.0/ Windows 2000 Server/ Windows Server 2003 F3FMihs None*
Interstage Application Server Enterprise Edition for Windows [*a] V7.0/ V7.0.1 Windows 2000 Server/ Windows Server 2003 F3FMihs None*
Interstage Application Server Enterprise Edition for Windows [*a] 8.0.0/ 8.0.1/ 8.0.2 Windows 2000 Server/ Windows Server 2003 F3FMihs None*
Interstage Application Server Enterprise Edition for Windows [*a *b] V9.0.0/ V9.0.0A Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2 F3FMihs T001001WP-08
Interstage Application Server Enterprise Edition for Windows [*a *b] V9.1.0/ V9.1.0B Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008 F3FMihs T002174WP-06
Interstage Application Server Enterprise Edition for Windows [*a *b] V9.2.0 Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 F3FMihs T004344WP-05
Interstage Application Server Enterprise Edition for Windows [*a *b] V10.0.0 Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 F3FMihs T006036WP-02
Interstage Application Server Standard Edition for Windows [*a] V5.0 Windows NT4.0/ Windows 2000 Server F3FMihs None*
Interstage Application Server Standard-J Edition for Windows [*a] 8.0.0/ 8.0.1/ 8.0.2 Windows 2000 Server/ Windows Server 2003 F3FMihs None*
Interstage Application Server Standard-J Edition for Windows [*a *b] V9.0.0/ V9.0.0A/ V9.0.0B Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2 F3FMihs T001001WP-08
Interstage Application Server Standard-J Edition for Windows [*a *b] V9.1.0/ V9.1.0B Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008 F3FMihs T002174WP-06
Interstage Application Server Standard-J Edition for Windows [*a *b] V9.2.0 Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 F3FMihs T004344WP-05
Interstage Application Server Standard-J Edition for Windows [*a *b] V10.0.0 Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 F3FMihs T006036WP-02
Interstage Application Server Web-J Edition for Windows [*a] V5.0 Windows NT4.0/ Windows 2000 Server F3FMihs None*
Interstage Application Server Plus for Windows [*a] V5.0.1 Windows NT4.0/ Windows 2000 Server F3FMihs None*
Interstage Application Server Plus for Windows [*a] V6.0 Windows NT4.0/ Windows 2000 Server/ Windows Server 2003 F3FMihs None*
Interstage Application Server Plus for Windows [*a] V7.0/ V7.0.1 Windows 2000 Server/ Windows Server 2003 F3FMihs None*
Interstage Application Server Plus Developer for Windows [*a] V5.0.1 Windows NT4.0/ Windows 2000 Server/ Windows XP F3FMihs None*
Interstage Application Server Plus Developer for Windows [*a] V6.0 Windows NT4.0/ Windows 2000 Server/ Windows XP/ Windows Server 2003 F3FMihs None*
Interstage Application Server Plus Developer for Windows [*a] V7.0 Windows 2000 Server/ Windows XP/ Windows Server 2003 F3FMihs None*
Interstage Application Server Enterprise Edition for Windows [*a] 8.0.0 Windows(IPF) Server 2003 F3FMihs None*
Interstage Application Server Enterprise Edition for Windows [*a *b] V9.0.0 Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2 F3FMihs T001005IP-07
Interstage Application Server Enterprise Edition for Windows [*a *b] V9.1.0 Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2/ Windows(IPF) Server 2008 F3FMihs T002175IP-06
Interstage Application Server Enterprise Edition for Windows [*a *b] V9.2.0 Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2/ Windows(IPF) Server 2008 F3FMihs T004345IP-05
Interstage Application Server Standard-J Edition for Windows [*a *b] V9.0.0 Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2 F3FMihs T001005IP-07
Interstage Application Server Standard-J Edition for Windows [*a *b] V9.1.0 Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2/ Windows(IPF) Server 2008 F3FMihs T002175IP-06
Interstage Application Server Standard-J Edition for Windows [*a *b] V9.2.0 Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2/ Windows(IPF) Server 2008 F3FMihs T004345IP-05
Interstage Application Server Enterprise Edition for Windows [*a *b] V9.2.0 Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2 F3FMihs T004346XP-05
Interstage Application Server Enterprise Edition for Windows [*a *b] V10.0.0 Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2 F3FMihs T006037XP-02
Interstage Application Server Standard-J Edition for Windows [*a *b] V9.2.0 Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows Server 2008 R2 F3FMihs T004346XP-05
Interstage Application Server Standard-J Edition for Windows [*a *b] V10.0.0 Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2 F3FMihs T006037XP-02
Interstage Application Server Enterprise Edition [*a] 5.0 Solaris 7/ 8/ 9 FJSVihs None*
Interstage Application Server Enterprise Edition [*a] 5.0.1 Solaris 7/ 8/ 9 FJSVihs None*
Interstage Application Server Enterprise Edition [*a] 6.0 Solaris 7/ 8/ 9 FJSVihs None*
Interstage Application Server Enterprise Edition [*a] 7.0 Solaris 8/ 9 FJSVihs None*
Interstage Application Server Enterprise Edition [*a] 7.0.1 Solaris 8/ 9/ 10 FJSVihs None*
Interstage Application Server Enterprise Edition [*a] 8.0.0/ 8.0.2 Solaris 9/ 10 FJSVihs None*
Interstage Application Server Enterprise Edition [*a *b] V9.0.0/ V9.0.0B Solaris 9/ 10 FJSVihs T001004SP-09
Interstage Application Server Enterprise Edition [*a *b] V9.1.0/ V9.1.0B Solaris 9/ 10 FJSVihs T002180SP-07
Interstage Application Server Enterprise Edition [*a *b] V9.2.0 Solaris 9/ 10 FJSVihs T004343SP-05
Interstage Application Server Enterprise Edition [*a *b] V10.0.0 Solaris 9/ 10 FJSVihs T006035SP-02
Interstage Application Server Standard Edition [*a] 5.0 Solaris 7/ 8/ 9 FJSVihs None*
Interstage Application Server Standard-J Edition [*a] 8.0.0/ 8.0.2 Solaris 9/ 10 FJSVihs None*
Interstage Application Server Standard-J Edition [*a *b] V9.0.0 Solaris 9/ 10 FJSVihs T001004SP-09
Interstage Application Server Standard-J Edition [*a *b] V9.1.0/ V9.1.0B Solaris 9/ 10 FJSVihs T002180SP-07
Interstage Application Server Standard-J Edition [*a *b] V9.2.0 Solaris 9/ 10 FJSVihs T004343SP-05
Interstage Application Server Standard-J Edition [*a *b] V10.0.0 Solaris 9/ 10 FJSVihs T006035SP-02
Interstage Application Server Web-J Edition [*a] 5.0 Solaris 7/ 8/ 9 FJSVihs None*
Interstage Application Server Plus [*a] 7.0 Solaris 8/ 9 FJSVihs None*
Interstage Application Server Plus [*a] 7.0.1 Solaris 8/ 9/ 10 FJSVihs None*
Interstage Application Server Enterprise Edition for Linux [*a] V5.0 Turbolinux 7 Server FJSVihs None*
Interstage Application Server Standard Edition for Linux [*a] V5.0 Turbolinux 7 Server FJSVihs None*
Interstage Application Server Web-J Edition for Linux [*a] V5.0 Turbolinux 7 Server FJSVihs None*
Interstage Application Server Enterprise Edition for Linux [*a] V6.0 RHEL-AS3(x86)/ ES3(x86) FJSVihs None*
Interstage Application Server Enterprise Edition for Linux [*a] V7.0 RHEL-AS3(x86)/ ES3(x86) FJSVihs None*
Interstage Application Server Plus for Linux [*a] V7.0 RHEL-AS3(x86)/ ES3(x86) FJSVihs None*
Interstage Application Server Enterprise Edition for Linux [*a] V7.0.1 RHEL-AS3(x86)/ ES3(x86)/ AS4(x86) FJSVihs None*
Interstage Application Server Plus for Linux [*a] V7.0.1 RHEL-AS3(x86)/ ES3(x86)/ AS4(x86) FJSVihs None*
Interstage Application Server Enterprise Edition for Linux [*a] 8.0.0/ 8.0.2 RHEL-AS4(x86)/ AS4(EM64T) FJSVihs None*
Interstage Application Server Enterprise Edition for Linux [*a *b] V9.0.0 RHEL-AS4(x86)/ AS4(EM64T) FJSVihs T001003LP-07
Interstage Application Server Enterprise Edition for Linux [*a *b] V9.1.0/ V9.1.0B RHEL-AS4(x86)/ AS4(EM64T) FJSVihs T002176LP-06
Interstage Application Server Enterprise Edition for Linux [*a *b] V9.2.0/ V9.3.1 RHEL-AS4(x86)/ AS4(EM64T) FJSVihs T004338LP-05
Interstage Application Server Standard-J Edition for Linux [*a] 8.0.0/ 8.0.2 RHEL-AS4(x86)/ AS4(EM64T) FJSVihs None*
Interstage Application Server Standard-J Edition for Linux [*a *b] V9.0.0 RHEL-AS4(x86)/ AS4(EM64T) FJSVihs T001003LP-07
Interstage Application Server Standard-J Edition for Linux [*a *b] V9.1.0/ V9.1.0B RHEL-AS4(x86)/ AS4(EM64T) FJSVihs T002176LP-06
Interstage Application Server Standard-J Edition for Linux [*a *b] V9.2.0/ V9.3.1 RHEL-AS4(x86)/ AS4(EM64T) FJSVihs T004338LP-05
Interstage Application Server Enterprise Edition for Linux [*a *b] V9.0.0 RHEL5(x86)/ RHEL5(Intel64) FJSVihs T001044LP-07
Interstage Application Server Enterprise Edition for Linux [*a *b] V9.1.0/ V9.1.0B RHEL5(x86)/ RHEL5(Intel64) FJSVihs T002177LP-06
Interstage Application Server Enterprise Edition for Linux [*a *b] V9.2.0/ V9.3.1 RHEL5(x86)/ RHEL5(Intel64) FJSVihs T004339LP-05
Interstage Application Server Enterprise Edition for Linux [*a *b] V10.0.0 RHEL5(x86)/ RHEL5(Intel64) FJSVihs T006038LP-02
Interstage Application Server Standard-J Edition for Linux [*a *b] V9.0.0 RHEL5(x86)/ RHEL5(Intel64) FJSVihs T001044LP-07
Interstage Application Server Standard-J Edition for Linux [*a *b] V9.1.0/ V9.1.0B RHEL5(x86)/ RHEL5(Intel64) FJSVihs T002177LP-06
Interstage Application Server Standard-J Edition for Linux [*a *b] V9.2.0/ V9.3.1 RHEL5(x86)/ RHEL5(Intel64) FJSVihs T004339LP-05
Interstage Application Server Standard-J Edition for Linux [*a *b] V10.0.0 RHEL5(x86)/ RHEL5(Intel64) FJSVihs T006038LP-02
Interstage Application Server Enterprise Edition for Linux [*a *b] V9.3.1 RHEL6(x86)/ RHEL6(Intel64) FJSVihs T006033LP-02
Interstage Application Server Enterprise Edition for Linux [*a *b] V10.0.0 RHEL6(x86)/ RHEL6(Intel64) FJSVihs T006039LP-02
Interstage Application Server Standard-J Edition for Linux [*a *b] V9.3.1 RHEL6(x86)/ RHEL6(Intel64) FJSVihs T006033LP-02
Interstage Application Server Standard-J Edition for Linux [*a *b] V10.0.0 RHEL6(x86)/ RHEL6(Intel64) FJSVihs T006039LP-02
Interstage Application Server Enterprise Edition for Linux [*a] V7.0 RHEL-AS4(IPF) FJSVihs None*
Interstage Application Server Enterprise Edition for Linux [*a] 8.0.0/ 8.0.1/ 8.0.2 RHEL-AS4(IPF) FJSVihs None*
Interstage Application Server Enterprise Edition for Linux [*a *b] V9.0.0/ V9.0.0A RHEL-AS4(IPF) FJSVihs T001002QP-07
Interstage Application Server Enterprise Edition for Linux [*a *b] V9.1.0 RHEL-AS4(IPF) FJSVihs T002178QP-06
Interstage Application Server Enterprise Edition for Linux [*a *b] V9.2.0 RHEL-AS4(IPF) FJSVihs T004340QP-05
Interstage Application Server Standard-J Edition for Linux [*a *b] V9.0.0 RHEL-AS4(IPF) FJSVihs T001002QP-07
Interstage Application Server Standard-J Edition for Linux [*a *b] V9.1.0 RHEL-AS4(IPF) FJSVihs T002178QP-06
Interstage Application Server Standard-J Edition for Linux [*a *b] V9.2.0 RHEL-AS4(IPF) FJSVihs T004340QP-05
Interstage Application Server Enterprise Edition for Linux [*a *b] V9.0.0/ V9.0.0A RHEL5(IPF) FJSVihs T001043QP-07
Interstage Application Server Enterprise Edition for Linux [*a *b] V9.1.0 RHEL5(IPF) FJSVihs T002179QP-06
Interstage Application Server Enterprise Edition for Linux [*a *b] V9.2.0 RHEL5(IPF) FJSVihs T004341QP-05
Interstage Application Server Standard-J Edition for Linux [*a *b] V9.0.0 RHEL5(IPF) FJSVihs T001043QP-07
Interstage Application Server Standard-J Edition for Linux [*a *b] V9.1.0 RHEL5(IPF) FJSVihs T002179QP-06
Interstage Application Server Standard-J Edition for Linux [*a *b] V9.2.0 RHEL5(IPF) FJSVihs T004341QP-05
Interstage Application Server Enterprise Edition for Linux [*a *b] V9.2.0/ V9.3.1 RHEL5(Intel64) FJSVihs T004342LP-05
Interstage Application Server Enterprise Edition for Linux [*a *b] V10.0.0 RHEL5(Intel64) FJSVihs T006040LP-02
Interstage Application Server Standard-J Edition for Linux [*a *b] V9.2.0/ V9.3.1 RHEL5(Intel64) FJSVihs T004342LP-05
Interstage Application Server Standard-J Edition for Linux [*a *b] V10.0.0 RHEL5(Intel64) FJSVihs T006040LP-02
Interstage Application Server Enterprise Edition for Linux [*a *b] V9.3.1 RHEL6(Intel64) FJSVihs T006034LP-02
Interstage Application Server Enterprise Edition for Linux [*a *b] V10.0.0 RHEL6(Intel64) FJSVihs T006041LP-02
Interstage Application Server Standard-J Edition for Linux [*a *b] V9.3.1 RHEL6(Intel64) FJSVihs T006034LP-02
Interstage Application Server Standard-J Edition for Linux [*a *b] V10.0.0 RHEL6(Intel64) FJSVihs T006041LP-02
Interstage Apworks
Products Version Target OS Package name Patch ID.
Interstage Apworks Modelers-J Edition for Windows [*a] V6.0/ V6.0A Windows 2000 Server/ Windows XP F3FMihs None*
Interstage Apworks Modelers-J Edition for Windows [*a] V7.0 Windows 2000 Server/ Windows XP F3FMihs None*
Interstage Studio
Products Version Target OS Package name Patch ID.
Interstage Studio Enterprise Edition for Windows [*a] 8.0.1 Windows 2000 Server/ Windows XP/ Windows Server 2003 F3FMihs None*
Interstage Studio Enterprise Edition for Windows [*a *b] V9.0.0 Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows XP/ Windows Vista F3FMihs T001001WP-08
Interstage Studio Enterprise Edition for Windows [*a *b] V9.1.0/ V9.1.0B Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows XP/ Windows Vista F3FMihs T002174WP-06
Interstage Studio Enterprise Edition for Windows [*a *b] V9.2.0 Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows XP/ Windows Vista/ Windows 7 F3FMihs T004344WP-05
Interstage Studio Standard-J Edition for Windows [*a] 8.0.1 Windows 2000 Server/ Windows XP/ Windows Server 2003 F3FMihs None*
Interstage Studio Standard-J Edition for Windows [*a *b] V9.0.0 Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows XP/ Windows Vista F3FMihs T001001WP-08
Interstage Studio Standard-J Edition for Windows [*a *b] V9.1.0/ V9.1.0B Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows XP/ Windows Vista F3FMihs T002174WP-06
Interstage Studio Standard-J Edition for Windows [*a *b] V9.2.0 Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows XP/ Windows Vista/ Windows 7 F3FMihs T004344WP-05
Interstage Studio Standard-J Edition for Windows [*a *b] V10.0.0 Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows XP/ Windows Vista/ Windows 7 F3FMihs T006036WP-02
Interstage Business Application Server
Products Version Target OS Package name Patch ID.
Interstage Business Application Server Enterprise Edition for Linux [*a] 8.0.0 RHEL-AS4(IPF) FJSVihs None*
Interstage Job Workload Server
Products Version Target OS Package name Patch ID.
Interstage Job Workload Server for Linux [*a] 8.1.0 RHEL-AS4(IPF) FJSVihs None*


For the solution, please refer to the following "3-3. Workaround".
[*a] Affected by CVE-2011-3368: For details, refer to a) of "3-3. Workaround" below.
[*b] Affected by CVE-2011-0419: For details, refer to b) of "3-3. Workaround" below.


Note: Determining the affected product

To check the software version, refer to the "FUJITSU SOFTWARE RELEASE GUIDE" supplied with the product.

3-3. Workaround

  1. Set "/" just before the URL pattern of the RewriteRule directive and just after the destination host name (e.g. images.example.com) of the configuration file (httpd.conf).
    After the file is edited, save the file and restart the Interstage HTTP Server.

    [Before edit]
       Example: RewriteRule (.*)\.(jpg|gif|png) http://images.example.com$1.$2 [P]

    [After edit]
       Example: RewriteRule /(.*)\.(jpg|gif|png) http://images.example.com/$1.$2 [P]
  2. Prevent the problem in one of the following ways.
    1. If "Indexes" is set for the Options directive in the configuration file (httpd.conf), disable the directory list automatic generation feature by deleting "Indexes".
      After the file is edited, save the file and restart the Interstage HTTP Server.
    2. Disable the request queries by setting "IgnoreClient" for the IndexOptions directive in the configuration file (httpd.conf).
      After the file is edited, save the file and restart the Interstage HTTP Server.
    3. If there are files with long file names in the content posted on Interstage HTTP Server, change the file name to a shorter name (approximately less than 50 bytes).

4. Related information

  1. CVE-2011-3368
    The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3368
  2. CVE-2011-0419
    Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd.
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0419

5. Revision history

  • November 26th, 2013:3rd release
    • Change the Patch ID in "3-2. Affected products and required patch".
  • February 20th, 2012: 2nd release
    • Change the Patch ID in "3-2. Affected products and required patch".
    • Add some products to "3-2. Affected products and required patch".
  • October 31st, 2011: Initial release