Interstage Business Process Manager Analytics: Vulnerability of arbitrary code Executing (CVE-2013-2248, CVE-2013-2251). November 6th, 2013
1. Description
There is a vulnerability of the arbitrary code executing in Apache Struts2 that Interstage Business Process Manager Analytics(BPMA) uses as a base of the server section.
This vulnerability allows an attacker to execute an arbitrary code by giving a specific URL to BPMA.
Fujitsu provides security patches shown in 3.
Please apply them as soon as possible.
2. Impact
The attacker gives a specific parameter to URL of BPMA, and there is a possibility of executing the arbitrary code on the server.
For a severity assessment of this vulnerability, see NVD information in "4. Related information".
3. Affected systems and corresponding action
3-1. Affected systems:
GP7000F, PRIMEPOWER, GP-S, PRIMERGY, GP5000, SPARC
3-2. Affected products and required patch
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Interstage Business Process Manager Analytics | 12.0 | Windows Server 2003/ 2008 | - | T008832WP-02 |
Interstage Business Process Manager Analytics | 12.0 | RHEL 5.x/ 6.x | FJSVibpma | T008833LP-02 |
Interstage Business Process Manager Analytics | 12.1 | Windows Server 2003/ 2008/ 2012 | - | T008834WP-02 |
Interstage Business Process Manager Analytics | 12.1 | RHEL 5.x/ 6.x | FJSVibpma | T008835LP-02 |
Interstage Business Process Manager Analytics | 12.1 | Solaris 11 | FJSVibpma | T008837SP-02 |
For the Patches, please contact a Fujitsu system engineer or your partner(s).
Note: Determining the affected product
- In Windows
- Click the "Start" button and select "Programs".
- Select the "Interstage Business Process Manager Analytics" product.
- Open the software instruction file.
- Confirm the product name and version level written at the head of the file.
- In Linux
- Execute the following command in the console window: #rpm -qi FJSVibpma
- The product version level is displayed.
- In Solaris
- Execute the following command in the console window: #pkginfo -l FJSVibpma
- The product version level is displayed.
3-3. Workaround
The IPS product is introduced and the Executing of URL including the following parameters is prohibited.
action, redirect, redirectAction
4. Related information
- National Vulnerability Database (NVD): CVE-2013-2248
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2248 - National Vulnerability Database (NVD): CVE-2013-2251
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2251
5. Revision history
- November 6th, 2013:
The initial patch is updated because there is an issue in the patch.
Patch IDs of "3-2. Affected products and required patch" are updated. - September 4th, 2013: Initial release