Cross site scripting (XSS) and denial of service (DoS) vulnerabilities in Interstage HTTP Server. December 25th, 2008
1. Background and Detected problem(s)
The following security vulnerabilities have been detected in the Interstage HTTP Server, which is provided by Interstage Application Server, Interstage Apworks, Interstage Studio, Interstage Business Application Server, and Interstage Job Workload Server.
- Cross site scripting (XSS) in the server status monitoring functionality
This problem is applicable to CVE-2006-5752. - Denial of service (DoS) in cache functionality
This problem is applicable to CVE-2007-1863. - Denial of service (DoS) in sending the specified process signals
This problem is applicable to CVE-2007-3304. - Denial of service (DoS) in proxy functionality
This problem is applicable to CVE-2007-3847. - Denial of service (DoS) in receiving particular requests
This problem may occur in the following types of products:
- Windows products in which the following urgent corrections have been applied.
- TP08940
- TP38940 - The following Windows(IPF) product is applicable:
- Interstage Application Server Enterprise Edition 8.0.0 for Windows
- Windows products in which the following urgent corrections have been applied.
- Denial of service (DoS) in the operation using SSL
This problem may occur in the following types of products:- Solaris products in which the following urgent corrections have been applied.
- T023AS-03
- Solaris products in which the following urgent corrections have been applied.
Fujitsu provides security patches shown in 3.
Please apply them as soon as possible.
2. Method to temporarily avoid the problem
None.
3. Corresponding system and Patch information
Corresponding system: GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, AT-compatible machine, PRIMEQUEST, SPARC Enterprise
Note) The effect of each vulnerability differs for each product. Please refer to the symbol in brackets following the product name and the following categories.
[a]: The effect of CVE-2006-5752
[b]: The effect of CVE-2007-1863
[c]: The effect of CVE-2007-3304
[d]: The effect of CVE-2007-3847
[e]: The effect of DoS problems in receiving particular requests
[f]: The effect of DoS problems in the operation using SSL
| Products | Target OS | Package name | Patch ID. |
|---|---|---|---|
| Interstage Application Server Enterprise Edition V5.0 for Windows [a,d,e] | Windows | F3FMihs | TP09823* |
| Interstage Application Server Standard Edition V5.0 for Windows [a,d,e] | Windows | F3FMihs | TP09823* |
| Interstage Application Server Web-J Edition V5.0 for Windows [a,d,e] | Windows | F3FMihs | TP09823* |
| Interstage Application Server Plus V5.0.1 for Windows [a,d] | Windows | F3FMihs | * |
| Interstage Application Server Plus Developer V5.0.1 for Windows [a,d] | Windows | F3FMihs | * |
| Interstage Application Server Enterprise Edition V6.0 for Windows [a,d] | Windows | F3FMihs | * |
| Interstage Application Server Plus V6.0 for Windows [a,d] | Windows | F3FMihs | * |
| Interstage Application Server Plus Developer V6.0 for Windows [a,d] | Windows | F3FMihs | * |
| Interstage Application Server Enterprise Edition V7.0 for Windows [a,d,e] | Windows | F3FMihs | TP39823* |
| Interstage Application Server Plus V7.0 for Windows [a,d,e] | Windows | F3FMihs | TP39823* |
| Interstage Application Server Plus Developer V7.0 for Windows [a,d,e] | Windows | F3FMihs | TP39823* |
| Interstage Application Server Enterprise Edition V7.0.1 for Windows [a,d,e] | Windows | F3FMihs | TP39823* |
| Interstage Application Server Plus V7.0.1 for Windows [a,d,e] | Windows | F3FMihs | TP39823* |
| Interstage Application Server Enterprise Edition 8.0.0 for Windows [a,d] | Windows | F3FMihs | * |
| Interstage Application Server Standard-J Edition 8.0.0 for Windows [a,d] | Windows | F3FMihs | * |
| Interstage Application Server Enterprise Edition 8.0.1 for Windows [a,d] | Windows | F3FMihs | * |
| Interstage Application Server Standard-J Edition 8.0.1 for Windows [a,d] | Windows | F3FMihs | * |
| Interstage Application Server Enterprise Edition 8.0.2 for Windows [a,d] | Windows | F3FMihs | * |
| Interstage Application Server Standard-J Edition 8.0.2 for Windows [a,d] | Windows | F3FMihs | * |
| Interstage Application Server Enterprise Edition V9.0.0 for Windows [a,b,d] | Windows | F3FMihs | * |
| Interstage Application Server Standard-J Edition V9.0.0 for Windows [a,b,d] | Windows | F3FMihs | * |
| Interstage Application Server Enterprise Edition V9.0.0A for Windows [a,b,d] | Windows | F3FMihs | * |
| Interstage Application Server Standard-J Edition V9.0.0A for Windows [a,b,d] | Windows | F3FMihs | * |
| Interstage Application Server Enterprise Edition 5.0 [a,c,d] | Solaris | FJSVihs | 912327-11* |
| Interstage Application Server Standard Edition 5.0 [a,c,d] | Solaris | FJSVihs | 912327-11* |
| Interstage Application Server Web-J Edition 5.0 [a,c,d] | Solaris | FJSVihs | 912327-11* |
| Interstage Application Server Enterprise Edition 5.0.1 [a,c,d] | Solaris | FJSVihs | * |
| Interstage Application Server Enterprise Edition 6.0 [a,c,d] | Solaris | FJSVihs | T0103S-07* |
| Interstage Application Server Enterprise Edition 7.0 [a,c,d] | Solaris | FJSVihs | T013RS-06* |
| Interstage Application Server Plus 7.0 [a,c,d] | Solaris | FJSVihs | T013RS-06* |
| Interstage Application Server Enterprise Edition 7.0.1 [a,c,d,f] | Solaris | FJSVihs | T023AS-05* |
| Interstage Application Server Plus 7.0.1 [a,c,d,f] | Solaris | FJSVihs | T023AS-05* |
| Interstage Application Server Enterprise Edition 8.0.0 [a,c,d] | Solaris | FJSVihs | * |
| Interstage Application Server Standard-J Edition 8.0.0 [a,c,d] | Solaris | FJSVihs | * |
| Interstage Application Server Enterprise Edition 8.0.2 [a,c,d] | Solaris | FJSVihs | * |
| Interstage Application Server Standard-J Edition 8.0.2 [a,c,d] | Solaris | FJSVihs | * |
| Interstage Application Server Enterprise Edition V9.0.0 [a,b,c] | Solaris | FJSVihs | * |
| Interstage Application Server Standard-J Edition V9.0.0 [a,b,c] | Solaris | FJSVihs | * |
| Interstage Application Server Enterprise Edition V5.0 [a,c,d] | Turbolinux 7 Server | FJSVihs | T00019-10* |
| Interstage Application Server Standard Edition V5.0 [a,c,d] | Turbolinux 7 Server | FJSVihs | T00019-10* |
| Interstage Application Server Web-J Edition V5.0 [a,c,d] | Turbolinux 7 Server | FJSVihs | T00019-10* |
| Interstage Application Server Enterprise Edition V6.0 [a,c,d] | RHEL-AS3(x86)/ ES3(x86) | FJSVihs | * |
| Interstage Application Server Enterprise Edition V7.0 [a,c,d] | RHEL-AS3(x86)/ ES3(x86) | FJSVihs | T00603-05* |
| Interstage Application Server Plus V7.0 [a,c,d] | RHEL-AS3(x86)/ ES3(x86) | FJSVihs | T00603-05* |
| Interstage Application Server Enterprise Edition V7.0.1 [a,c,d] | RHEL-AS3(x86)/ ES3(x86)/ AS4(x86) | FJSVihs | T00603-05* |
| Interstage Application Server Plus V7.0.1 [a,c,d] | RHEL-AS3(x86)/ ES3(x86)/ AS4(x86) | FJSVihs | T00603-05* |
| Interstage Application Server Enterprise Edition 8.0.0 [a,c,d] | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | * |
| Interstage Application Server Standard-J Edition 8.0.0 [a,c,d] | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | * |
| Interstage Application Server Enterprise Edition 8.0.2 [a,c,d] | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | * |
| Interstage Application Server Standard-J Edition 8.0.2 [a,c,d] | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | * |
| Interstage Application Server Enterprise Edition V9.0.0 [a,b,c] | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | * |
| Interstage Application Server Enterprise Edition V9.0.0 [a,b,c] | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | * |
| Interstage Application Server Standard-J Edition V9.0.0 [a,b,c] | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | * |
| Interstage Application Server Standard-J Edition V9.0.0 [a,b,c] | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | * |
| Interstage Application Server Enterprise Edition V7.0 [a,c,d] | RHEL-AS4(IPF) | FJSVihs | * |
| Interstage Application Server Enterprise Edition 8.0.0 [a,c,d] | RHEL-AS4(IPF) | FJSVihs | * |
| Interstage Application Server Enterprise Edition 8.0.1 [a,c,d] | RHEL-AS4(IPF) | FJSVihs | * |
| Interstage Application Server Enterprise Edition 8.0.2 [a,c,d] | RHEL-AS4(IPF) | FJSVihs | * |
| Interstage Application Server Enterprise Edition V9.0.0 [a,b,c] | RHEL-AS4(IPF) | FJSVihs | * |
| Interstage Application Server Enterprise Edition V9.0.0 [a,b,c] | RHEL5(IPF) | FJSVihs | * |
| Interstage Application Server Standard-J Edition V9.0.0 [a,b,c] | RHEL-AS4(IPF) | FJSVihs | * |
| Interstage Application Server Standard-J Edition V9.0.0 [a,b,c] | RHEL5(IPF) | FJSVihs | * |
| Interstage Application Server Enterprise Edition 8.0.0 for Windows [a,d,e] | Windows(IPF) | F3FMihs | * |
| Interstage Application Server Enterprise Edition V9.0.0 for Windows [a,b,d] | Windows(IPF) | F3FMihs | * |
| Interstage Application Server Standard-J Edition V9.0.0 for Windows [a,b,d] | Windows(IPF) | F3FMihs | * |
| Products | Target OS | Package name | Patch ID. |
|---|---|---|---|
| Interstage Apworks Modelers-J Edition V6.0 for Windows [a,d] | Windows | F3FMihs | * |
| Interstage Apworks Modelers-J Edition V6.0A for Windows [a,d] | Windows | F3FMihs | * |
| Interstage Apworks Modelers-J Edition V7.0 for Windows [a,d,e] | Windows | F3FMihs | TP39823* |
| Interstage Apworks Enterprise Edition 8.0.0 for Windows [a,d] | Windows | F3FMihs | * |
| Interstage Apworks Standard-J Edition 8.0.0 for Windows [a,d] | Windows | F3FMihs | * |
| Products | Target OS | Package name | Patch ID. |
|---|---|---|---|
| Interstage Studio Enterprise Edition 8.0.1 for Windows [a,d] | Windows | F3FMihs | * |
| Interstage Studio Standard-J Edition 8.0.1 for Windows [a,d] | Windows | F3FMihs | * |
| Interstage Studio Enterprise Edition V9.0.0 for Windows [a,b,d] | Windows | F3FMihs | * |
| Interstage Studio Standard-J Edition V9.0.0 for Windows [a,b,d] | Windows | F3FMihs | * |
| Products | Target OS | Package name | Patch ID. |
|---|---|---|---|
| Interstage Business Application Server Enterprise Edition 8.0.0 [a,c,d] | RHEL-AS4(IPF) | FJSVihs | * |
| Products | Target OS | Package name | Patch ID. |
|---|---|---|---|
| Interstage Job Workload Server 8.1.0 [a,c,d] | RHEL-AS4(IPF) | FJSVihs | * |
* For the Patches without ID nor link, please contact a Fujitsu system engineer or your partner(s).
4. Revision history
- December 25th, 2008: 3rd edition:
- deleted "FMV series" of "Corresponding system"
- The following products have been added to "3. Corresponding system and Patch information":
Interstage Application Server Standard-J Edition V9.0.0 for Windows Windows(IPF) - Products which corresponded to [c], and [d] of "3. Corresponding system and Patch information" were changed.
- "Patch ID" of "3. Corresponding system and Patch information" were changed.
The table below maps the 2nd edition and the 3rd edition.
| 2nd edition | 3rd edition | ||
|---|---|---|---|
| Patch ID | fixed problem | Patch ID | fixed problem |
| TP09615 | a, e | TP09823 | a, d, e |
| TP39615 | a, e | TP39823 | a, d, e |
| 912327-10 | a | 912327-11 | a, c, d |
| T0103S-06 | a | T0103S-07 | a, c, d |
| T013RS-05 | a | T013RS-06 | a, c, d |
| T023AS-04 | a, f | T023AS-05 | a, c, d, f |
| T00019-09 | a | T00019-10 | a, c, d |
| T00603-04 | a | T00603-05 | a, c, d |
- January 24th, 2008: 2nd edition:
Products which corresponded to [b], [c], and [d] of "3. Corresponding system and Patch information" were corrected. - January 22nd, 2008: Initial release
