Web Root Path Disclosure Vulnerability in Interstage Application Server. October 9th, 2007
1. Background and Detected problem(s)
Web root path disclosure vulnerability has been discovered in the Tomcat 4.1-based Servlet Service.
There is a possibility being returned the error page which contains the root path of the Web application (physical path about the document root) to the remote attackers.
2. Method to avoid the problem
Add following JavaVM option(Note1) by setting the IJServer work unit.
-Dsun.io.useCanonCaches=false
Note1)Set in the following input forms.
- Interstage Management Console ->
- Interstage Application Server ->
- System ->
- WorkUnit ->
- [WorkUnit(IJServer) Name] ->
- Settings ->
- WorkUnit Settings ->
- Java VM Options
Fujitsu has confirmed this vulnerability as a problem of the Tomcat 4.1-based Servlet Service. However, because it was a problem concerning the JavaVM option, this problem is scheduled to be corrected in a future version of the Interstage Application Server.
3. Corresponding system and Patch information
Corresponding system :PRIMERGY, GP5000, CELSIUS, FMV series, AT compatible machine, PRIMEQUEST
Products | Target OS | Package name |
---|---|---|
Interstage Application Server Enterprise Edition V7.0 for Windows | Windows Server 2003/ Windows 2000 | FJSVj2ee |
Interstage Application Server Enterprise Edition V7.0.1 for Windows | Windows Server 2003/ Windows 2000 | FJSVj2ee |
Interstage Application Server Enterprise Edition 8.0.0 for Windows | Windows Server 2003/ Windows 2000 | FJSVj2ee |
Interstage Application Server Enterprise Edition 8.0.1 for Windows | Windows Server 2003/ Windows 2000 | FJSVj2ee |
Interstage Application Server Enterprise Edition 8.0.2 for Windows | Windows Server 2003/ Windows 2000 | FJSVj2ee |
Interstage Application Server Enterprise Edition 8.0.3 for Windows | Windows Server 2003/ Windows 2000 | FJSVj2ee |
Interstage Application Server Enterprise Edition V9.0.0 for Windows | Windows Server 2003/ Windows 2000 | FJSVj2ee |
Interstage Application Server Enterprise Edition V9.0.0A for Windows | Windows Server 2003/ Windows 2000 | FJSVj2ee |
Interstage Application Server Standard Edition V7.0 for Windows | Windows Server 2003/ Windows 2000 | FJSVj2ee |
Interstage Application Server Standard-J Edition 8.0.0 for Windows | Windows Server 2003/ Windows 2000 | FJSVj2ee |
Interstage Application Server Standard-J Edition 8.0.1 for Windows | Windows Server 2003/ Windows 2000 | FJSVj2ee |
Interstage Application Server Standard-J Edition 8.0.2 for Windows | Windows Server 2003/ Windows 2000 | FJSVj2ee |
Interstage Application Server Standard-J Edition 8.0.3 for Windows | Windows Server 2003/ Windows 2000 | FJSVj2ee |
Interstage Application Server Standard-J Edition V9.0.0 for Windows | Windows Server 2003/ Windows 2000 | FJSVj2ee |
Interstage Application Server Standard-J Edition V9.0.0A for Windows | Windows Server 2003/ Windows 2000 | FJSVj2ee |
Interstage Application Server Plus V7.0 for Windows | Windows Server 2003/ Windows 2000 | FJSVj2ee |
Interstage Application Server Plus V7.0.1 for Windows | Windows Server 2003/ Windows 2000 | FJSVj2ee |
Interstage Application Server Plus Developer V7.0 for Windows | Windows Server 2003/ Windows 2000/ Windows XP | FJSVj2ee |
Interstage Application Server Enterprise Edition 8.0.0 for Windows | Windows Server 2003(IPF) | FJSVj2ee |
Interstage Application Server Enterprise Edition 8.0.3 for Windows | Windows Server 2003(IPF) | FJSVj2ee |
Products | Target OS | Package name |
---|---|---|
Interstage Apworks Enterprise Edition 8.0.0 for Windows | Windows Server 2003/ Windows 2000/ Windows XP | FJSVj2ee |
Interstage Apworks Standard-J Edition 8.0.0 for Windows | Windows Server 2003/ Windows 2000/ Windows XP | FJSVj2ee |
Interstage Apworks Modelers-J Edition V7.0 for Windows | Windows Server 2003/ Windows 2000/ Windows XP | FJSVj2ee |
Interstage Studio Enterprise Edition 8.0.1 for Windows | Windows Server 2003/ Windows 2000/ Windows XP | FJSVj2ee |
Interstage Studio Enterprise Edition V9.0.0 for Windows | Windows Server 2003/ Windows 2000/ Windows XP/ Windows Vista | FJSVj2ee |
Interstage Studio Standard-J Edition 8.0.1 for Windows | Windows Server 2003/ Windows 2000/ Windows XP | FJSVj2ee |
Interstage Studio Standard-J Edition V9.0.0 for Windows | Windows Server 2003/ Windows 2000/ Windows XP/ Windows Vista | FJSVj2ee |
Note2)For the Patches, please see "2. Method to avoid the problem".
4. Revision history
- October 9th, 2007 : Initial release