Vulnerability in Interstage Application Server Single Sign-on Authentication June 23rd, 2005

This bulletin provides security information about the reports to CERT/CC, the coordination center, or detected by Fujitsu's own examination by the published date.

Products developed by third parties may be included as subject products. Information about such third party products may be exactly the same as provided by the respective third party.

The contents of this bulletin are provided "AS IS" without warranties of any kind, either express or implied (including, without limitation, any implied warranty of merchantability, fitness for a particular purpose and non-infringement). In no event shall Fujitsu be liable for any direct, indirect, special, incidental, consequential, punitive, or any other damages of any kind, including, without limitation, loss of profits and loss of data incurred by a customer arising out of, or in connection with, the use or non-use of any information in this bulletin, even if Fujitsu has been advised of the possibility of such damages.

The information contained in this bulletin will be updated from time to time without notice. Therefore, all customers are advised to always ascertain the latest information. In case of redistribution of this security bulletin, the full text of this statement shall be reproduced.


[Outline]
ProblemVulnerability in Interstage Application Server Single Sign-on Authentication.
ManufacturerFujitsu Limited
Corresponding productsWindowsInterstage Application Server Enterprise Edition V7.0 for Windows
Interstage Application Server Plus V7.0 for Windows
Interstage Application Server Plus Developer V7.0 for Windows
Interstage Apworks Modelers-J Edition V7.0 for Windows
Solaris
Interstage Application Server Enterprise Edition 7.0
Interstage Application Server Plus 7.0
Corresponding systemPRIMEPOWER, Sun-compatible machine, PRIMERGY, GP5000, CELSIUS, FMV, AT-compatible machine
ImpactThe vulnerability can be exploited as a method of attack such as phishing.
Method to temporarily avoid the problem.None
PatchSome

1. Background

There is a vulnerability in Interstage Application Server single sign-on authentication. This may allow an attacker to lead a user to an unexpected website. As the result, the vulnerability can be exploited as a method of attack such as phishing.

Fujitsu provides security patches shown in 5.
Please apply them as soon as possible.


2. Range of corresponding system(s)

Corresponding command/fileProductsTarget OS
F3FMssoatcag.dll
F3FMssomsg.dll
F3FMssoutils.dll
Interstage Application Server Enterprise Edition V7.0 for WindowsWindows
F3FMssoatcag.dll
F3FMssomsg.dll
F3FMssoutils.dll
Interstage Application Server Plus V7.0 for WindowsWindows
F3FMssoatcag.dll
F3FMssomsg.dll
F3FMssoutils.dll
Interstage Application Server Plus Developer V7.0 for WindowsWindows
F3FMssoatcag.dll
F3FMssomsg.dll
F3FMssoutils.dll
Interstage Apworks Modelers-J Edition V7.0 for WindowsWindows
ssoatcag.so
libssoutils.so
Interstage Application Server Enterprise Edition 7.0Solaris
ssoatcag.so
libssoutils.so
Interstage Application Server Plus 7.0Solaris


3. Detected problem(s)

There is a vulnerability in Interstage Application Server single sign-on authentication. This may allow an attacker to lead a user to an unexpected website. As the result, the vulnerability can be exploited as a method of attack such as phishing.


4. Method to temporarily avoid the problem

None.


5. Patch information

ProductsTarget OSPackage namePackage ID.
Interstage Application Server Enterprise Edition V7.0 for WindowsWindowsF3FMssoTP37489*
Interstage Application Server Plus V7.0 for WindowsWindowsF3FMssoTP37489*
Interstage Application Server Plus Developer V7.0 for WindowsWindowsF3FMssoTP37489*
Interstage Apworks Modelers-J Edition V7.0 for WindowsWindowsF3FMssoTP37489*
Interstage Application Server Enterprise Edition 7.0SolarisFJSVssoacT013NS-01*
Interstage Application Server Enterprise Edition 7.0SolarisFJSVssocmT013PS-01*
Interstage Application Server Plus 7.0SolarisFJSVssoacT013NS-01*
Interstage Application Server Plus 7.0SolarisFJSVssocmT013PS-01*


* For the Patches without ID nor link, please contact a Fujitsu system engineer or your partner(s).


6. Revision history

  • June 23rd, 2005: Initial release

Top of Page