Interstage Application Server: Vulnerable in request processing. May 17th, 2010
1. Description
There is a vulnerability in Servlet service included in Interstage Application Server in which a specific request may be not processed properly.
Fujitsu provide security patches listed in 3 below.
Please apply them as soon as possible.
2. Impact
The specific impact depends on the implementation of the web application.
The following things may happen.
- illegal request execution
- information leak of other users
For the severity of this vulnerability, see JVN/IPA information in "4. Related information"(Japanese only).
3. Affected systems and corresponding action
3-1. Affected systems:
GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, FMV series, AT compatible machine
3-2. Affected products and required patch
| Products | Target OS | Package name | Patch ID. |
|---|---|---|---|
| INTERSTAGE Application Server Enterprise Edition 3.0 (with standard encryption) | Solaris 2.6, 7, 8 | FJSVjs2 | 910679-19* |
| INTERSTAGE Application Server Enterprise Edition 3.0 (with strong encryption) | Solaris 2.6, 7, 8 | FJSVjs2 | 910679-19* |
| INTERSTAGE Application Server Standard Edition 3.0 (with standard encryption) | Solaris 2.6, 7, 8 | FJSVjs2 | 910675-19* |
| INTERSTAGE Application Server Standard Edition 3.0 (with strong encryption) | Solaris 2.6, 7, 8 | FJSVjs2 | 910675-19* |
| INTERSTAGE Application Server Enterprise Edition 4.0 (with Non Encryption) | Solaris 2.6, 7, 8 | FJSVjs2 | 911367-12* |
| INTERSTAGE Application Server Enterprise Edition 4.0 (with Strong Encryption) | Solaris 2.6, 7, 8 | FJSVjs2 | 911367-12* |
| INTERSTAGE Application Server Standard Edition 4.0 (with Non Encryption) | Solaris 2.6, 7, 8 | FJSVjs2 | 911368-12* |
| INTERSTAGE Application Server Standard Edition 4.0 (with Strong Encryption) | Solaris 2.6, 7, 8 | FJSVjs2 | 911368-12* |
| INTERSTAGE Application Server Web-J Edition | 4.0 (with Non Encryption) | Solaris2.6, 7, 8 | 911562-11* |
| INTERSTAGE Application Server Web-J Edition 4.0 (with Strong Encryption) | Solaris 2.6, 7, 8 | FJSVjs2 | 911562-11* |
| Interstage Application Server Enterprise Edition 5.0 (with Strong Encryption) | Solaris 7, 8, 9 | FJSVjs2 | 912193-11* |
| Interstage Application Server Enterprise Edition 5.0 (with Non Encryption) | Solaris 7, 8, 9 | FJSVjs2 | 912193-11* |
| Interstage Application Server Standard Edition 5.0 (with Strong Encryption) | Solaris 7, 8, 9 | FJSVjs2 | 912194-11* |
| Interstage Application Server Standard Edition 5.0 (with Non Encryption) | Solaris 7, 8, 9 | FJSVjs2 | 912194-11* |
| Interstage Application Server Web-J Edition 5.0 (with Strong Encryption) | Solaris 7, 8, 9 | FJSVjs2 | 912195-11* |
| Interstage Application Server Web-J Edition 5.0 (with Non Encryption) | Solaris 7, 8, 9 | FJSVjs2 | 912195-11* |
| Interstage Application Server Enterprise Edition 5.0.1 (with Strong Encryption) | Solaris 7, 8, 9 | FJSVjs2 | * |
| Interstage Application Server Enterprise Edition 6.0 | Solaris 8, 9 | FJSVjs2 | * |
| Interstage Application Server Enterprise Edition 7.0 | Solaris 8, 9 | FJSVjs2 | * |
| Interstage Application Server Standard Edition 7.0 | Solaris 8, 9 | FJSVjs2 | * |
| Interstage Application Server Plus 7.0 | Solaris 8, 9 | FJSVjs2 | * |
| Interstage Application Server Enterprise Edition 7.0.1 | Solaris 8, 9, 10 | FJSVjs2 | * |
| Interstage Application Server Plus 7.0.1 | Solaris 8, 9, 10 | FJSVjs2 | * |
| INTERSTAGE Application Server Enterprise Edition V3.0 (with strong encryption) for Windows | Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs2 | * |
| INTERSTAGE Application Server Enterprise Edition V3.0 (with standard encryption) for Windows | Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs2 | * |
| INTERSTAGE Application Server Standard Edition V3.0 (with strong encryption) for Windows | Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs2 | * |
| INTERSTAGE Application Server Standard Edition V3.0 (with standard encryption) for Windows | Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs2 | * |
| INTERSTAGE Application Server Enterprise Edition V4.0 (with Strong Encryption) for Windows | Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs2 | * |
| INTERSTAGE Application Server Enterprise Edition V4.0 (with Non Encryption) for Windows | Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs2 | * |
| INTERSTAGE Application Server Standard Edition V4.0 (with Strong Encryption) for Windows | Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs2 | * |
| INTERSTAGE Application Server Standard Edition V4.0 (with Non Encryption) for Windows | Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs2 | * |
| INTERSTAGE Application Server Web-J Edition V4.0 (with Strong Encryption) for Windows | Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs2 | * |
| INTERSTAGE Application Server Web-J Edition V4.0 (with Non Encryption) for Windows | Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs2 | * |
| Interstage Application Server Enterprise Edition V5.0 (with Strong Encryption) for Windows | Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs2 | * |
| Interstage Application Server Enterprise Edition V5.0 (with Non Encryption) for Windows | Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs2 | * |
| Interstage Application Server Standard Edition V5.0 (with Non Encryption) for Windows | Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs2 | * |
| Interstage Application Server Standard Edition V5.0 (with Strong Encryption) for Windows | Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs2 | * |
| Interstage Application Server Web-J Edition V5.0 (with Strong Encryption) for Windows | Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs2 | * |
| Interstage Application Server Web-J Edition V5.0 (with Non Encryption) for Windows | Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs2 | * |
| Interstage Application Server Plus V5.0.1 for Windows | Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs2 | * |
| Interstage Application Server Plus Developer V5.0.1 for Windows | Windows 2000 Server/ Windows NT Server 4.0/ Windows XP | F3FMjs2 | * |
| Interstage Application Server Enterprise Edition V6.0 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs2 | * |
| Interstage Application Server Plus V6.0 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs2 | * |
| Interstage Application Server Enterprise Edition V7.0 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs2 | * |
| Interstage Application Server Standard Edition V7.0 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs2 | * |
| Interstage Application Server Plus V7.0 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs2 | * |
| Interstage Application Server Enterprise Edition V7.0.1 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs2 | * |
| Interstage Application Server Plus V7.0.1 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs2 | * |
| INTERSTAGE Application Server Enterprise Edition 4.1 (with Non Encryption) for Linux | Turbolinux 7/ RedHat Linux 7.2 | FJSVjs2 | * |
| INTERSTAGE Application Server Standard Edition 4.1 (with Non Encryption) for Linux | Turbolinux 7/ RedHat Linux 7.2 | FJSVjs2 | * |
| INTERSTAGE Application Server Web-J Edition 4.1 (with Non Encryption) for Linux | Turbolinux 6.1/ 6.5/ 7/ RedHat Linux 7.2 | FJSVjs2 | * |
| Interstage Application Server Enterprise Edition V5.0 (with Strong Encryption) for Linux | Turbolinux 7 | FJSVjs2 | * |
| Interstage Application Server Enterprise Edition V5.0 (with Non Encryption) for Linux | Turbolinux 7 | FJSVjs2 | * |
| Interstage Application Server Standard Edition V5.0 (with Strong Encryption) for Linux | Turbolinux 7 | FJSVjs2 | * |
| Interstage Application Server Standard Edition V5.0 (with Non Encryption) for Linux | Turbolinux 7 | FJSVjs2 | * |
| Interstage Application Server Web-J Edition V5.0 (with Strong Encryption) for Linux | Turbolinux 7 | FJSVjs2 | * |
| Interstage Application Server Web-J Edition V5.0 (with Non Encryption) for Linux | Turbolinux 7 | FJSVjs2 | * |
| Interstage Application Server Enterprise Edition V6.0 for Linux | RHEL-AS3(x86)/ ES3(x86) | FJSVjs2 | * |
| Interstage Application Server Enterprise Edition V7.0 for Linux | RHEL-AS3(x86)/ ES3(x86) | FJSVjs2 | * |
| Interstage Application Server Standard Edition V7.0 for Linux | RHEL-AS3(x86)/ ES3(x86) | FJSVjs2 | * |
| Interstage Application Server Plus V7.0 for Linux | RHEL-AS3(x86)/ ES3(x86) | FJSVjs2 | * |
Note: In the following products, this vulnerability ONLY affects the system with Servlet service which has compatiblity with version 5 and earlier. This service is set by custom install. Therefore, the system with Servlet service set by default install is NOT affected by this vulnerability.
- Interstage Application Server V6 series-V7 series
Note: Determining the affected product
- [V3 series-V6 series]
- Solaris
Ensure package information on the FJSVisas package.
pkginfo -l FJSVisas - Windows
Ensure the title of Software Release Guide.
[Start]
-> [Program]
-> [Interstage]
-> [Application Server]
-> [Software Release Guide] - Linux
Ensure package information on the FJSVisas package.
rpm -q FJSVisas
- Solaris
- [V7 series or later]
Use the isprintvl command.
isprintvl
3-3. Workaround
Set five minutes or more interval for the distribution beginning time of each server at the loading balancer.
4. Related information
This problem corresponds to vulnerability of Interstage Application Server. (JVN#90248889)
- JVN#90248889:
Interstage Application Server vulnerable in request processing
http://jvn.jp/jp/JVN90248889/index.html(Japanese only)
5. Revision history
- May 17th, 2010 : Initial release
