Interstage Application Server: Information Disclosure Vulnerabilities(CVE-2008-2370/CVE-2008-5515). October 27th, 2010
1. Description
Information disclosure vulnerabilities are confirmed in the Servlet Service.
Fujitsu provides workaround shown in “3. Affected products and required patches.”.
Please apply them as soon as possible.
2. Impact
A remote third party can get contents and inside information included in a web application that has restricted access.
For a severity assessment of this vulnerability, see JVN and IPA information in "4. Related information" (Japanese only).
3. Affected systems and corresponding action
3-1. Affected systems:
GP7000F, PRIMEPOWER, SPARC Enterprise, PRIMERGY, GP5000, CELSIUS, FMV series, AT compatible machines, PRIMEQUEST
3-2. Affected products and required patch
Products | Target OS | Package name | Patch ID. |
---|---|---|---|
Interstage Application Server Enterprise Edition 6.0 | Solaris 7, 8, 9 | FJSVjs4 | * |
Interstage Application Server Enterprise Edition 7.0 | Solaris 8, 9 | FJSVjs4 | * |
Interstage Application Server Enterprise Edition 7.0.1 | Solaris 8, 9, 10 | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V8.0.0 | Solaris 9, 10 | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V8.0.2 | Solaris 9, 10 | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V9.0.0 | Solaris 9, 10 | FJSVjs5 | * |
Interstage Application Server Enterprise Edition V9.0.0 | Solaris 9, 10 | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V9.1.0 | Solaris 9, 10 | FJSVjs5 | * |
Interstage Application Server Enterprise Edition V9.1.0 | Solaris 9, 10 | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V9.1.0B | Solaris 9, 10 | FJSVjs5 | * |
Interstage Application Server Standard-J Edition V8.0.0 | Solaris 9, 10 | FJSVjs4 | * |
Interstage Application Server Standard-J Edition V8.0.2 | Solaris 9, 10 | FJSVjs4 | * |
Interstage Application Server Standard-J Edition V9.0.0 | Solaris 9, 10 | FJSVjs5 | * |
Interstage Application Server Standard-J Edition V9.0.0 | Solaris 9, 10 | FJSVjs4 | * |
Interstage Application Server Standard-J Edition V9.1.0 | Solaris 9, 10 | FJSVjs5 | * |
Interstage Application Server Standard-J Edition V9.1.0 | Solaris 9, 10 | FJSVjs4 | * |
Interstage Application Server Standard-J Edition V9.1.0B | Solaris 9, 10 | FJSVjs5 | * |
Interstage Application Server Plus 7.0 | Solaris 8, 9 | FJSVjs4 | * |
Interstage Application Server Plus 7.0.1 | Solaris 8, 9, 10 | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V6.0 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V7.0 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V7.0.1 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V8.0.0 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V8.0.1 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V8.0.2 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V9.0.0 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs5 | * |
Interstage Application Server Enterprise Edition V9.0.0 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V9.0.0A for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs5 | * |
Interstage Application Server Enterprise Edition V9.0.0A for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V9.1.0 for Windows | Windows Server 2008/ Windows Server 2003/ Windows 2000 Server | F3FMjs5 | * |
Interstage Application Server Enterprise Edition V9.1.0 for Windows | Windows Server 2008/ Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V9.1.0B for Windows | Windows Server 2008/ Windows Server 2003/ Windows 2000 Server | F3FMjs5 | * |
Interstage Application Server Standard-J Edition V8.0.0 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Standard-J Edition V8.0.1 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Standard-J Edition V8.0.2 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Standard-J Edition V9.0.0 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs5 | * |
Interstage Application Server Standard-J Edition V9.0.0 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Standard-J Edition V9.0.0A for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs5 | * |
Interstage Application Server Standard-J Edition V9.0.0A for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Standard-J Edition V9.1.0 for Windows | Windows Server 2008/ Windows Server 2003/ Windows 2000 Server | F3FMjs5 | * |
Interstage Application Server Standard-J Edition V9.1.0 for Windows | Windows Server 2008/ Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Standard-J Edition V9.1.0B for Windows | Windows Server 2008/ Windows Server 2003/ Windows 2000 Server | F3FMjs5 | * |
Interstage Application Server Plus V6.0 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs4 | * |
Interstage Application Server Plus V7.0 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Plus V7.0.1 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
Interstage Application Server Plus Developer V6.0 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows NT Server 4.0/ Windows XP | F3FMjs4 | * |
Interstage Application Server Plus Developer V7.0 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows XP | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V8.0.0 for Windows | Windows Server 2003(IPF) | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V9.0.0 for Windows | Windows Server 2003(IPF) | F3FMjs5 | * |
Interstage Application Server Enterprise Edition V9.0.0 for Windows | Windows Server 2003(IPF) | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V9.1.0 for Windows | Windows Server 2008(IPF)/ Windows Server 2003(IPF) | F3FMjs5 | * |
Interstage Application Server Enterprise Edition V9.1.0 for Windows | Windows Server 2008(IPF)/ Windows Server 2003(IPF) | F3FMjs4 | * |
Interstage Application Server Standard-J Edition V9.0.0 for Windows | Windows Server 2003(IPF) | F3FMjs5 | * |
Interstage Application Server Standard-J Edition V9.0.0 for Windows | Windows Server 2003(IPF) | F3FMjs4 | * |
Interstage Application Server Standard-J Edition V9.1.0 for Windows | Windows Server 2008(IPF)/ Windows Server 2003(IPF) | F3FMjs5 | * |
Interstage Application Server Standard-J Edition V9.1.0 for Windows | Windows Server 2008(IPF)/ Windows Server 2003(IPF) | F3FMjs4 | * |
Interstage Application Server Enterprise Edition V6.0 for Linux | RHEL-AS3(x86)/ ES3(x86) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V7.0 for Linux | RHEL-AS3(x86)/ ES3(x86) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V7.0.1 for Linux | RHEL-AS3(x86)/ ES3(x86) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V8.0.0 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V8.0.2 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V9.0.0 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs5 | * |
Interstage Application Server Enterprise Edition V9.0.0 for Linux | RHEL5(x86)/ RHEL5(Intel64) | FJSVjs5 | * |
Interstage Application Server Enterprise Edition V9.0.0 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V9.1.0 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs5 | * |
Interstage Application Server Enterprise Edition V9.1.0 for Linux | RHEL5(x86)/ RHEL5(Intel64) | FJSVjs5 | * |
Interstage Application Server Enterprise Edition V9.1.0 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V9.1.0B for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs5 | * |
Interstage Application Server Enterprise Edition V9.1.0B for Linux | RHEL5(x86)/ RHEL5(Intel64) | FJSVjs5 | * |
Interstage Application Server Standard-J Edition V8.0.0 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | * |
Interstage Application Server Standard-J Edition V8.0.2 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | * |
Interstage Application Server Standard-J Edition V9.0.0 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs5 | * |
Interstage Application Server Standard-J Edition V9.0.0 for Linux | RHEL5(x86)/ RHEL5(Intel64) | FJSVjs5 | * |
Interstage Application Server Standard-J Edition V9.0.0 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | * |
Interstage Application Server Standard-J Edition V9.1.0 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs5 | * |
Interstage Application Server Standard-J Edition V9.1.0 for Linux | RHEL5(x86)/ RHEL5(Intel64) | FJSVjs5 | * |
Interstage Application Server Standard-J Edition V9.1.0 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | * |
Interstage Application Server Standard-J Edition V9.1.0B for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs5 | * |
Interstage Application Server Standard-J Edition V9.1.0B for Linux | RHEL5(x86)/ RHEL5(Intel64) | FJSVjs5 | * |
Interstage Application Server Plus V7.0 for Linux | RHEL-AS3(x86)/ ES3(x86) | FJSVjs4 | * |
Interstage Application Server Plus V7.0.1 for Linux | RHEL-AS3(x86)/ ES3(x86) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V7.0 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V8.0.0 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V8.0.1 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V8.0.2 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V9.0.0 for Linux | RHEL-AS4(IPF) | FJSVjs5 | * |
Interstage Application Server Enterprise Edition V9.0.0 for Linux | RHEL5(IPF) | FJSVjs5 | * |
Interstage Application Server Enterprise Edition V9.0.0 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V9.0.0A for Linux | RHEL-AS4(IPF) | FJSVjs5 | * |
Interstage Application Server Enterprise Edition V9.0.0A for Linux | RHEL5(IPF) | FJSVjs5 | * |
Interstage Application Server Enterprise Edition V9.0.0A for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
Interstage Application Server Enterprise Edition V9.1.0 for Linux | RHEL-AS4(IPF) | FJSVjs5 | * |
Interstage Application Server Enterprise Edition V9.1.0 for Linux | RHEL5(IPF) | FJSVjs5 | * |
Interstage Application Server Enterprise Edition V9.1.0 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
Interstage Application Server Standard-J Edition V9.0.0 for Linux | RHEL-AS4(IPF) | FJSVjs5 | * |
Interstage Application Server Standard-J Edition V9.0.0 for Linux | RHEL5(IPF) | FJSVjs5 | * |
Interstage Application Server Standard-J Edition V9.0.0 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
Interstage Application Server Standard-J Edition V9.1.0 for Linux | RHEL-AS4(IPF) | FJSVjs5 | * |
Interstage Application Server Standard-J Edition V9.1.0 for Linux | RHEL5(IPF) | FJSVjs5 | * |
Interstage Application Server Standard-J Edition V9.1.0 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
Products | Target OS | Package name | Patch ID. |
---|---|---|---|
Interstage Apworks Modelers-J Edition V6.0 for Windows | Windows 2000 Server/ Windows XP | F3FMjs4 | * |
Interstage Apworks Modelers-J Edition V6.0A for Windows | Windows 2000 Server/ Windows XP | F3FMjs4 | * |
Interstage Apworks Modelers-J Edition V7.0 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows XP | F3FMjs4 | * |
Interstage Studio Enterprise Edition 8.0.1 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows XP | F3FMjs4 | * |
Interstage Studio Enterprise Edition 9.0.0 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows XP/ Windows Vista | F3FMjs5 | * |
Interstage Studio Enterprise Edition 9.1.0 for Windows | Windows Server 2008/ Windows Server 2003/ Windows 2000 Server/ Windows XP/ Windows Vista | F3FMjs5 | * |
Interstage Studio Enterprise Edition 9.1.0B for Windows | Windows Server 2008/ Windows Server 2003/ Windows 2000 Server/ Windows XP/ Windows Vista | F3FMjs5 | * |
Interstage Studio Standard-J Edition 8.0.1 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows XP | F3FMjs4 | * |
Interstage Studio Standard-J Edition 9.0.0 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows XP/ Windows Vista | F3FMjs5 | * |
Interstage Studio Standard-J Edition 9.1.0 for Windows | Windows Server 2008/ Windows Server 2003/ Windows 2000 Server/ Windows XP/ Windows Vista | F3FMjs5 | * |
Interstage Studio Standard-J Edition 9.1.0B for Windows | Windows Server 2008/ Windows Server 2003/ Windows 2000 Server/ Windows XP/ Windows Vista | F3FMjs5 | * |
Products | Target OS | Package name | Patch ID. |
---|---|---|---|
Interstage Business Application Server Enterprise Edition 8.0.0 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
Products | Target OS | Package name | Patch ID. |
---|---|---|---|
Interstage Job Workload Server 8.1.0 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
* For the patches without ID nor link, please contact a Fujitsu system engineer or your partner(s).
Note: Determining the affected product
- Determining the version and level of the product
- [V6 series]
- Solaris
To see package information on the FJSVisas package, please execute the following command:
pkginfo -l FJSVisas - Windows
See the title in the Software Release Guide.
[Start]
-> [Programs]
-> [Interstage]
-> [Application Server | Apworks]
-> [Software Release Guide] - Linux
To see package information on the FJSVisas package, please execute the following command:
rpm -q FJSVisas
- Solaris
- [V7 series or later]
- Use the isprintvl command.
isprintvl
- Use the isprintvl command.
- [V6 series]
- Determining the affected web applications
Whether a web application is affected by the vulnerabilities depends on the application setting.
If the "Condition 1" is not satisfied, your system is not affected by the vulnerabilities.
If only the "Condition 1" is satisfied or both "Condition 1" and "Condition 2" are satisfied, please contact our support representative for the workaround.- Condition 1: All of the following conditions are satisfied.
- A web application invokes one of the following Servlet APIs or JSP Actions:
- The forward or include method of the object gotten by javax.servlet.ServletContext#getRequestDispatcher(path)
- The forward or include method of the object gotten by javax.servlet.ServletRequest#getRequestDispatcher(path)
- < jsp:forward page="path" > action of JSP
- < jsp:include page="path" > action of JSP
- The argument "path" of i includes a query string which starts with '?'.
- The web application includes data sent from a client in the query string of ii.
- A web application invokes one of the following Servlet APIs or JSP Actions:
- Condition 2:
Access restriction to specific contents in a web application is configured by one or more than one of the following means (from i to iii ).
If access to the all of contents in a web application is restricted, this is not applicable.- Access restriction is used in a web application according to the Servlet specification.
Web application environment definition file(deployment descriptor: web.xml) has a security-constraint tag.
Affected example: restricte access to only “Hello” by < security-constraint > tag
< security-constraint >
< web-resource-collection >
< web-resource-name > Hello < /web-resource-name >
< url-pattern > /Hello.jsp < /url-pattern >
< /web-resource-collection >
< auth-constraint >
< role-name > Administrator < /role-name >
< /auth-constraint >
< /security-constraint >
Not affected example: restrict access to all contents by < security-constraint > tag
< security-constraint >
< web-resource-collection >
< web-resource-name > all < /web-resource-name >
< url-pattern > /* < /url-pattern >
< /web-resource-collection >
< auth-constraint >
< role-name > Administrator < /role-name >
< /auth-constraint >
< /security-constraint > - Access to the URL for Servlet service applications is restricted in a web server.
Affected example: The configuration file of Interstage HTTP Server as a web server(httpd.conf)
(restrict access to only “Hello”)
< Location /j2eesample/hello.jsp >
Order deny,allow
Deny from all
Allow from 192.168.1.1
< /Location >
Not affected example: restrict access to all contents
< Location /j2eesample >
Order deny,allow
Deny from all
Allow from 192.168.1.1
< /Location > - Access to the specific contents in a web application is restricted in a way such as the following a or b and so on.
- Web application implements access restriction function by itself.
- Access restriction is done by some hardware or software on the network except a web server.
- Access restriction is used in a web application according to the Servlet specification.
- Condition 1: All of the following conditions are satisfied.
3-3. Workaround
We provide the workaround via our support representative, so please contact us.
4. Related information
This problem corresponds to the vulnerability of Apache Tomcat.
- CVE-2008-2370/ CVE-2008-5515: Tomcat information disclosure vulnerability
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515 - JVN#63832775: Apache Tomcat information disclosure vulnerability
http://jvn.jp/en/jp/JVN63832775/index.html
5. Revision history
- October 27th, 2010 : 2nd edition. The followings were updated in "3-2. Affected products and required patch".
- Added products listed below.
- Interstage Application Server Enterprise Edition V9.1.0B
- Interstage Application Server Standard-J Edition V9.1.0B
- Interstage Application Server Enterprise Edition V9.1.0B for Windows
- Interstage Application Server Standard-J Edition V9.1.0B for Windows
- Interstage Application Server Enterprise Edition V9.1.0B for Linux
- Interstage Application Server Standard-J Edition V9.1.0B for Linux
- Interstage Studio Enterprise Edition 9.1.0B for Windows
- Interstage Studio Standard-J Edition 9.1.0B for Windows
- Added or Deleted target OS elements of some products.
- Added products listed below.
- June 9th, 2009 : Initial release