Vulnerability in Interstage Application Server Single Sign-on Authentication June 23rd, 2005
This bulletin provides security information about the reports to CERT/CC, the coordination center, or detected by Fujitsu's own examination by the published date.
Products developed by third parties may be included as subject products. Information about such third party products may be exactly the same as provided by the respective third party.
The contents of this bulletin are provided "AS IS" without warranties of any kind, either express or implied (including, without limitation, any implied warranty of merchantability, fitness for a particular purpose and non-infringement). In no event shall Fujitsu be liable for any direct, indirect, special, incidental, consequential, punitive, or any other damages of any kind, including, without limitation, loss of profits and loss of data incurred by a customer arising out of, or in connection with, the use or non-use of any information in this bulletin, even if Fujitsu has been advised of the possibility of such damages.
The information contained in this bulletin will be updated from time to time without notice. Therefore, all customers are advised to always ascertain the latest information. In case of redistribution of this security bulletin, the full text of this statement shall be reproduced.
[Outline] | ||
---|---|---|
Problem | Vulnerability in Interstage Application Server Single Sign-on Authentication. | |
Manufacturer | Fujitsu Limited | |
Corresponding products | Windows | Interstage Application Server Enterprise Edition V7.0 for Windows
Interstage Application Server Plus V7.0 for Windows Interstage Application Server Plus Developer V7.0 for Windows Interstage Apworks Modelers-J Edition V7.0 for Windows |
Solaris
| Interstage Application Server Enterprise Edition 7.0
Interstage Application Server Plus 7.0 | |
Corresponding system | PRIMEPOWER, Sun-compatible machine, PRIMERGY, GP5000, CELSIUS, FMV, AT-compatible machine | |
Impact | The vulnerability can be exploited as a method of attack such as phishing. | |
Method to temporarily avoid the problem. | None | |
Patch | Some |
1. Background
There is a vulnerability in Interstage Application Server single sign-on authentication. This may allow an attacker to lead a user to an unexpected website. As the result, the vulnerability can be exploited as a method of attack such as phishing.
Fujitsu provides security patches shown in 5.
Please apply them as soon as possible.
2. Range of corresponding system(s)
Corresponding command/file | Products | Target OS |
---|---|---|
F3FMssoatcag.dll
F3FMssomsg.dll F3FMssoutils.dll | Interstage Application Server Enterprise Edition V7.0 for Windows | Windows |
F3FMssoatcag.dll
F3FMssomsg.dll F3FMssoutils.dll | Interstage Application Server Plus V7.0 for Windows | Windows |
F3FMssoatcag.dll
F3FMssomsg.dll F3FMssoutils.dll | Interstage Application Server Plus Developer V7.0 for Windows | Windows |
F3FMssoatcag.dll
F3FMssomsg.dll F3FMssoutils.dll | Interstage Apworks Modelers-J Edition V7.0 for Windows | Windows |
ssoatcag.so
libssoutils.so | Interstage Application Server Enterprise Edition 7.0 | Solaris |
ssoatcag.so
libssoutils.so | Interstage Application Server Plus 7.0 | Solaris |
3. Detected problem(s)
There is a vulnerability in Interstage Application Server single sign-on authentication. This may allow an attacker to lead a user to an unexpected website. As the result, the vulnerability can be exploited as a method of attack such as phishing.
4. Method to temporarily avoid the problem
None.
5. Patch information
Products | Target OS | Package name | Package ID. |
---|---|---|---|
Interstage Application Server Enterprise Edition V7.0 for Windows | Windows | F3FMsso | TP37489* |
Interstage Application Server Plus V7.0 for Windows | Windows | F3FMsso | TP37489* |
Interstage Application Server Plus Developer V7.0 for Windows | Windows | F3FMsso | TP37489* |
Interstage Apworks Modelers-J Edition V7.0 for Windows | Windows | F3FMsso | TP37489* |
Interstage Application Server Enterprise Edition 7.0 | Solaris | FJSVssoac | T013NS-01* |
Interstage Application Server Enterprise Edition 7.0 | Solaris | FJSVssocm | T013PS-01* |
Interstage Application Server Plus 7.0 | Solaris | FJSVssoac | T013NS-01* |
Interstage Application Server Plus 7.0 | Solaris | FJSVssocm | T013PS-01* |
* For the Patches without ID nor link, please contact a Fujitsu system engineer or your partner(s).
6. Revision history
- June 23rd, 2005: Initial release