Interstage HTTP Server: Security Vulnerability Problem (CVE-2011-3192). February 20th, 2012


Notes on using this web page

1. Description

Due to a problem with the processing of the Range header in Apache HTTP Server, Denial of Service (DoS) vulnerability (CVE-2011-3192) have been confirmed.

Apache HTTP Server Version 2.0-based Interstage HTTP Server is affected by this vulnerability.
Apache HTTP Server Version 1.3-based Interstage HTTP Server is not affected by this vulnerability.

Fujitsu provides security patches shown in 3. Please apply them as soon as possible.

2. Impact

A modified request sent by a remote attacker may consume large amounts of memory and CPU on the Web server and cause Denial of Service (DoS).

3. Affected systems and corresponding action

3-1. Affected systems:

GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, AT-compatible machine, PRIMEQUEST, SPARC Enterprise

3-2. Affected products and required patch

Cloud Infrastructure Management Software
ProductsVersionTarget OSPackage namePatch ID.
Cloud Infrastructure Management Software [c]V1.2.0Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2F3FMihsT004344WP-04
Cloud Infrastructure Management Software [d]V1.2.0RHEL5(x86)/ RHEL5(Intel64)FJSVihsT004339LP-04
Interstage Application Server
ProductsVersionTarget OSPackage namePatch ID.
Interstage Application Server Enterprise Edition for Windows [a]V5.0Windows NT4.0/ Windows 2000 ServerF3FMihsNone [*i]
Interstage Application Server Enterprise Edition for Windows [a]V6.0Windows NT4.0/ Windows 2000 Server/ Windows Server 2003F3FMihsNone [*i]
Interstage Application Server Enterprise Edition for Windows [a]V7.0/ V7.0.1Windows 2000 Server/ Windows Server 2003F3FMihsNone [*i]
Interstage Application Server Enterprise Edition for Windows [a]8.0.0/ 8.0.1/ 8.0.2Windows 2000 Server/ Windows Server 2003F3FMihsNone [*i]
Interstage Application Server Enterprise Edition for Windows [c]V9.0.0/ V9.0.0AWindows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2F3FMihsT001001WP-08
Interstage Application Server Enterprise Edition for Windows [c]V9.1.0/ V9.1.0BWindows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008F3FMihsT002174WP-05
Interstage Application Server Enterprise Edition for Windows [c]V9.2.0Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2F3FMihsT004344WP-04
Interstage Application Server Enterprise Edition for Windows [c]V10.0.0Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2F3FMihsT006036WP-01
Interstage Application Server Standard Edition for Windows [a]V5.0Windows NT4.0/ Windows 2000 ServerF3FMihsNone [*i]
Interstage Application Server Standard-J Edition for Windows [a]8.0.0/ 8.0.1/ 8.0.2Windows 2000 Server/ Windows Server 2003F3FMihsNone [*i]
Interstage Application Server Standard-J Edition for Windows [c]V9.0.0/ V9.0.0A/ V9.0.0BWindows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2F3FMihsT001001WP-08
Interstage Application Server Standard-J Edition for Windows [c]V9.1.0/ V9.1.0BWindows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008F3FMihsT002174WP-05
Interstage Application Server Standard-J Edition for Windows [c]V9.2.0Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2F3FMihsT004344WP-04
Interstage Application Server Standard-J Edition for Windows [c]V10.0.0Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2F3FMihsT006036WP-01
Interstage Application Server Web-J Edition for Windows [a]V5.0Windows NT4.0/ Windows 2000 ServerF3FMihsNone [*i]
Interstage Application Server Plus for Windows [a]V5.0.1Windows NT4.0/ Windows 2000 ServerF3FMihsNone [*i]
Interstage Application Server Plus for Windows [a]V6.0Windows NT4.0/ Windows 2000 Server/ Windows Server 2003F3FMihsNone [*i]
Interstage Application Server Plus for Windows [a]V7.0/ V7.0.1Windows 2000 Server/ Windows Server 2003F3FMihsNone [*i]
Interstage Application Server Plus Developer for Windows [a]V5.0.1Windows NT4.0/ Windows 2000 Server/ Windows XPF3FMihsNone [*i]
Interstage Application Server Plus Developer for Windows [a]V6.0Windows NT4.0/ Windows 2000 Server/ Windows XP/ Windows Server 2003F3FMihsNone [*i]
Interstage Application Server Plus Developer for Windows [a]V7.0Windows 2000 Server/ Windows XP/ Windows Server 2003F3FMihsNone [*i]
Interstage Application Server Enterprise Edition for Windows [a]8.0.0Windows(IPF) Server 2003F3FMihsNone [*i]
Interstage Application Server Enterprise Edition for Windows [c]V9.0.0Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2F3FMihsT001005IP-06
Interstage Application Server Enterprise Edition for Windows [c]V9.1.0Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2/ Windows(IPF) Server 2008F3FMihsT002175IP-05
Interstage Application Server Enterprise Edition for Windows [c]V9.2.0Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2/ Windows(IPF) Server 2008F3FMihsT004345IP-04
Interstage Application Server Standard-J Edition for Windows [c]V9.0.0Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2F3FMihsT001005IP-06
Interstage Application Server Standard-J Edition for Windows [c]V9.1.0Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2/ Windows(IPF) Server 2008F3FMihsT002175IP-05
Interstage Application Server Standard-J Edition for Windows [c]V9.2.0Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2/ Windows(IPF) Server 2008F3FMihsT004345IP-04
Interstage Application Server Enterprise Edition for Windows [c]V9.2.0Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2F3FMihsT004346XP-04
Interstage Application Server Enterprise Edition for Windows [c]V10.0.0Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2F3FMihsT006037XP-01
Interstage Application Server Standard-J Edition for Windows [c]V9.2.0Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2F3FMihsT004346XP-04
Interstage Application Server Standard-J Edition for Windows [c]V10.0.0Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2F3FMihsT006037XP-01
Interstage Application Server Enterprise Edition [b]5.0Solaris 7/ 8/ 9FJSVihsNone [*i]
Interstage Application Server Enterprise Edition [b]5.0.1Solaris 7/ 8/ 9FJSVihsNone [*i]
Interstage Application Server Enterprise Edition [b]6.0Solaris 7/ 8/ 9FJSVihsNone [*i]
Interstage Application Server Enterprise Edition [b]7.0Solaris 8/ 9FJSVihsNone [*i]
Interstage Application Server Enterprise Edition [b]7.0.1Solaris 8/ 9/ 10FJSVihsNone [*i]
Interstage Application Server Enterprise Edition [b]8.0.0/ 8.0.2Solaris 9/ 10FJSVihsNone [*i]
Interstage Application Server Enterprise Edition [d]V9.0.0/ V9.0.0BSolaris 9/ 10FJSVihsT001004SP-08
Interstage Application Server Enterprise Edition [d]V9.1.0/ V9.1.0BSolaris 9/ 10FJSVihsT002180SP-06
Interstage Application Server Enterprise Edition [d]V9.2.0Solaris 9/ 10FJSVihsT004343SP-04
Interstage Application Server Enterprise Edition [d]V10.0.0Solaris 9/ 10FJSVihsT006035SP-01
Interstage Application Server Standard Edition [b]5.0Solaris 7/ 8/ 9FJSVihsNone [*i]
Interstage Application Server Standard-J Edition [b]8.0.0/ 8.0.2Solaris 9/ 10FJSVihsNone [*i]
Interstage Application Server Standard-J Edition [d]V9.0.0Solaris 9/ 10FJSVihsT001004SP-08
Interstage Application Server Standard-J Edition [d]V9.1.0/ V9.1.0BSolaris 9/ 10FJSVihsT002180SP-06
Interstage Application Server Standard-J Edition [d]V9.2.0Solaris 9/ 10FJSVihsT004343SP-04
Interstage Application Server Standard-J Edition [d]V10.0.0Solaris 9/ 10FJSVihsT006035SP-01
Interstage Application Server Web-J Edition [b]5.0Solaris 7/ 8/ 9FJSVihsNone [*i]
Interstage Application Server Plus [b]7.0Solaris 8/ 9FJSVihsNone [*i]
Interstage Application Server Plus [b]7.0.1Solaris 8/ 9/ 10FJSVihsNone [*i]
Interstage Application Server Enterprise Edition for Linux [b]V5.0Turbolinux 7 ServerFJSVihsNone [*i]
Interstage Application Server Standard Edition for Linux [b]V5.0Turbolinux 7 ServerFJSVihsNone [*i]
Interstage Application Server Web-J Edition for Linux [b]V5.0Turbolinux 7 ServerFJSVihsNone [*i]
Interstage Application Server Enterprise Edition for Linux [b]V6.0RHEL-AS3(x86)/ ES3(x86)FJSVihsNone [*i]
Interstage Application Server Enterprise Edition for Linux [b]V7.0RHEL-AS3(x86)/ ES3(x86)FJSVihsNone [*i]
Interstage Application Server Plus for Linux [b]V7.0RHEL-AS3(x86)/ ES3(x86)FJSVihsNone [*i]
Interstage Application Server Enterprise Edition for Linux [b]V7.0.1RHEL-AS3(x86)/ ES3(x86)/ AS4(x86)FJSVihsNone [*i]
Interstage Application Server Plus for Linux [b]V7.0.1RHEL-AS3(x86)/ ES3(x86)/ AS4(x86)FJSVihsNone [*i]
Interstage Application Server Enterprise Edition for Linux [b]8.0.0/ 8.0.2RHEL-AS4(x86)/ AS4(EM64T)FJSVihsNone [*i]
Interstage Application Server Enterprise Edition for Linux [d]V9.0.0RHEL-AS4(x86)/ AS4(EM64T)FJSVihsT001003LP-06
Interstage Application Server Enterprise Edition for Linux [d]V9.1.0/ V9.1.0BRHEL-AS4(x86)/ AS4(EM64T)FJSVihsT002176LP-05
Interstage Application Server Enterprise Edition for Linux [d]V9.2.0/ V9.3.1RHEL-AS4(x86)/ AS4(EM64T)FJSVihsT004338LP-04
Interstage Application Server Standard-J Edition for Linux [b]8.0.0/ 8.0.2RHEL-AS4(x86)/ AS4(EM64T)FJSVihsNone [*i]
Interstage Application Server Standard-J Edition for Linux [d]V9.0.0RHEL-AS4(x86)/ AS4(EM64T)FJSVihsT001003LP-06
Interstage Application Server Standard-J Edition for Linux [d]V9.1.0/ V9.1.0BRHEL-AS4(x86)/ AS4(EM64T)FJSVihsT002176LP-05
Interstage Application Server Standard-J Edition for Linux [d]V9.2.0/ V9.3.1RHEL-AS4(x86)/ AS4(EM64T)FJSVihsT004338LP-04
Interstage Application Server Enterprise Edition for Linux [d]V9.0.0RHEL5(x86)/ RHEL5(Intel64)FJSVihsT001044LP-06
Interstage Application Server Enterprise Edition for Linux [d]V9.1.0/ V9.1.0BRHEL5(x86)/ RHEL5(Intel64)FJSVihsT002177LP-05
Interstage Application Server Enterprise Edition for Linux [d]V9.2.0/ V9.3.1RHEL5(x86)/ RHEL5(Intel64)FJSVihsT004339LP-04
Interstage Application Server Enterprise Edition for Linux [d]V10.0.0RHEL5(x86)/ RHEL5(Intel64)FJSVihsT006038LP-01
Interstage Application Server Standard-J Edition for Linux [d]V9.0.0RHEL5(x86)/ RHEL5(Intel64)FJSVihsT001044LP-06
Interstage Application Server Standard-J Edition for Linux [d]V9.1.0/ V9.1.0BRHEL5(x86)/ RHEL5(Intel64)FJSVihsT002177LP-05
Interstage Application Server Standard-J Edition for Linux [d]V9.2.0/ V9.3.1RHEL5(x86)/ RHEL5(Intel64)FJSVihsT004339LP-04
Interstage Application Server Standard-J Edition for Linux [d]V10.0.0RHEL5(x86)/ RHEL5(Intel64)FJSVihsT006038LP-01
Interstage Application Server Enterprise Edition for Linux [d]V9.3.1RHEL6(x86)/ RHEL6(Intel64)FJSVihsT006033LP-01
Interstage Application Server Enterprise Edition for Linux [d]V10.0.0RHEL6(x86)/ RHEL6(Intel64)FJSVihsT006039LP-01
Interstage Application Server Standard-J Edition for Linux [d]V9.3.1RHEL6(x86)/ RHEL6(Intel64)FJSVihsT006033LP-01
Interstage Application Server Standard-J Edition for Linux [d]V10.0.0RHEL6(x86)/ RHEL6(Intel64)FJSVihsT006039LP-01
Interstage Application Server Enterprise Edition for Linux [b]V7.0RHEL-AS4(IPF)FJSVihsNone [*i]
Interstage Application Server Enterprise Edition for Linux [b]8.0.0/ 8.0.1/ 8.0.2RHEL-AS4(IPF)FJSVihsNone [*i]
Interstage Application Server Enterprise Edition for Linux [d]V9.0.0/ V9.0.0ARHEL-AS4(IPF)FJSVihsT001002QP-07
Interstage Application Server Enterprise Edition for Linux [d]V9.1.0RHEL-AS4(IPF)FJSVihsT002178QP-05
Interstage Application Server Enterprise Edition for Linux [d]V9.2.0RHEL-AS4(IPF)FJSVihsT004340QP-04
Interstage Application Server Standard-J Edition for Linux [d]V9.0.0RHEL-AS4(IPF)FJSVihsT001002QP-07
Interstage Application Server Standard-J Edition for Linux [d]V9.1.0RHEL-AS4(IPF)FJSVihsT002178QP-05
Interstage Application Server Standard-J Edition for Linux [d]V9.2.0RHEL-AS4(IPF)FJSVihsT004340QP-04
Interstage Application Server Enterprise Edition for Linux [d]V9.0.0/ V9.0.0ARHEL5(IPF)FJSVihsT001043QP-07
Interstage Application Server Enterprise Edition for Linux [d]V9.1.0RHEL5(IPF)FJSVihsT002179QP-05
Interstage Application Server Enterprise Edition for Linux [d]V9.2.0RHEL5(IPF)FJSVihsT004341QP-04
Interstage Application Server Standard-J Edition for Linux [d]V9.0.0RHEL5(IPF)FJSVihsT001043QP-07
Interstage Application Server Standard-J Edition for Linux [d]V9.1.0RHEL5(IPF)FJSVihsT002179QP-05
Interstage Application Server Standard-J Edition for Linux [d]V9.2.0RHEL5(IPF)FJSVihsT004341QP-04
Interstage Application Server Enterprise Edition for Linux [d]V9.2.0/ V9.3.1RHEL5(Intel64)FJSVihsT004342LP-04
Interstage Application Server Enterprise Edition for Linux [d]V10.0.0RHEL5(Intel64)FJSVihsT006040LP-01
Interstage Application Server Standard-J Edition for Linux [d]V9.2.0/ V9.3.1RHEL5(Intel64)FJSVihsT004342LP-04
Interstage Application Server Standard-J Edition for Linux [d]V10.0.0RHEL5(Intel64)FJSVihsT006040LP-01
Interstage Application Server Enterprise Edition for Linux [d]V9.3.1RHEL6(Intel64)FJSVihsT006034LP-01
Interstage Application Server Enterprise Edition for Linux [d]V10.0.0RHEL6(Intel64)FJSVihsT006041LP-01
Interstage Application Server Standard-J Edition for Linux [d]V9.3.1RHEL6(Intel64)FJSVihsT006034LP-01
Interstage Application Server Standard-J Edition for Linux [d]V10.0.0RHEL6(Intel64)FJSVihsT006041LP-01
Interstage Apworks
ProductsVersionTarget OSPackage namePatch ID.
Interstage Apworks Modelers-J Edition for Windows [a]V6.0/ V6.0AWindows 2000 Server/ Windows XPF3FMihsNone [*i]
Interstage Apworks Modelers-J Edition for Windows [a]V7.0Windows 2000 Server/ Windows XPF3FMihsNone [*i]
Interstage Application Development Cycle Manager
ProductsVersionTarget OSPackage namePatch ID.
Interstage Application Development Cycle Manager Enterprise Edition for Windows [c]V10.1.0Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2F3FMihsT002174WP-05
Interstage Application Development Cycle Manager Enterprise Edition for Windows [c]V10.2Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2F3FMihsT004344WP-04
Interstage Application Development Cycle Manager Standard Edition for Windows [c]V10.0.0/ V10.0.0A/ V10.1.0Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2F3FMihsT002174WP-05
Interstage Application Development Cycle Manager Standard Edition for Windows [c]V10.2Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2F3FMihsT004344WP-04
Interstage Application Development Cycle Manager Standard Edition [d]V10.0.0ASolaris 9/ 10FJSVihsT002180SP-06
Interstage Business Application Server
ProductsVersionTarget OSPackage namePatch ID.
Interstage Business Application Server Enterprise Edition for Linux [b]8.0.0RHEL-AS4(IPF)FJSVihsNone [*i]
Interstage Job Workload Server
ProductsVersionTarget OSPackage namePatch ID.
Interstage Job Workload Server for Linux [b]8.1.0RHEL-AS4(IPF)FJSVihsNone [*i]
Interstage List Manager
ProductsVersionTarget OSPackage namePatch ID.
Interstage List Manager Enterprise Edition [b]7.0Solaris 8/ 9FJSVihsNone [*i]
Interstage List Manager Standard Edition [b]7.0Solaris 8/ 9FJSVihsNone [*i]
Interstage Service Integrator
ProductsVersionTarget OSPackage namePatch ID.
Interstage Service Integrator Standard Edition for Windows [c]V9.0.0/ V9.0.0AWindows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2F3FMihsT001001WP-08
Interstage Service Integrator Enterprise Edition [d]V9.0.0/ V9.0.0ASolaris 9/ 10FJSVihsT001004SP-08
Interstage Software Quality Analyzer
ProductsVersionTarget OSPackage namePatch ID.
Interstage Software Quality Analyzer for Windows [c]V10.0.0/ V10.0.0AWindows Server 2003/ Windows Server 2003 R2/ Windows Server 2008F3FMihsT002174WP-05
Interstage Studio
ProductsVersionTarget OSPackage namePatch ID.
Interstage Studio Enterprise Edition for Windows [a]8.0.1Windows 2000 Server/ Windows XP/ Windows Server 2003F3FMihsNone [*i]
Interstage Studio Enterprise Edition for Windows [c]V9.0.0Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows XP/ Windows VistaF3FMihsT001001WP-08
Interstage Studio Enterprise Edition for Windows [c]V9.1.0/ V9.1.0BWindows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows XP/ Windows VistaF3FMihsT002174WP-05
Interstage Studio Enterprise Edition for Windows [c]V9.2.0Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows XP/ Windows Vista/ Windows 7F3FMihsT004344WP-04
Interstage Studio Standard-J Edition for Windows [a]8.0.1Windows 2000 Server/ Windows XP/ Windows Server 2003F3FMihsNone [*i]
Interstage Studio Standard-J Edition for Windows [c]V9.0.0Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows XP/ Windows VistaF3FMihsT001001WP-08
Interstage Studio Standard-J Edition for Windows [c]V9.1.0/ V9.1.0BWindows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows XP/ Windows VistaF3FMihsT002174WP-05
Interstage Studio Standard-J Edition for Windows [c]V9.2.0Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows XP/ Windows Vista/ Windows 7F3FMihsT004344WP-04
Interstage Studio Standard-J Edition for Windows [c]V10.0.0Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows XP/ Windows Vista/ Windows 7F3FMihsT006036WP-01
Systemwalker Availability View
ProductsVersionTarget OSPackage namePatch ID.
Systemwalker Availability View Enterprise Edition [c]V13.3.0/ V13.3.0AWindows Server 2003/ Windows Server 2003 R2/ Windows Server 2008F3FMihsT002174WP-05
Systemwalker Availability View Standard Edition [c]V13.3.0/ V13.3.0AWindows Server 2003/ Windows Server 2003 R2/ Windows Server 2008F3FMihsT002174WP-05
Systemwalker IT Process Master
ProductsVersionTarget OSPackage namePatch ID.
Systemwalker IT Process Master Standard Edition for Windows [c]V13.3.1Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008F3FMihsT002174WP-05
Systemwalker Runbook Automation
ProductsVersionTarget OSPackage namePatch ID.
Systemwalker Runbook Automation V14g for Windows [c]14.1.0/ 14.1.0AWindows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2F3FMihsT004344WP-04
Systemwalker Runbook Automation V14g for SOP [d]14.0.0RHEL5(x86)/ RHEL5(Intel64)FJSVihsT004339LP-04
Systemwalker Service Catalog Manager
ProductsVersionTarget OSPackage namePatch ID.
Systemwalker Service Catalog Manager V14g for Windows [c]V14.1.0Windows Server 2008 R2F3FMihsT004344WP-04
Systemwalker Service Quality Coordinator
ProductsVersionTarget OSPackage namePatch ID.
Systemwalker Service Quality Coordinator Enterprise Edition for Windows [c]V13.4/ V13.5.0Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2F3FMihsT004344WP-04
Systemwalker Service Quality Coordinator Enterprise Edition [d]V13.4/ V13.5.0Solaris 9/ 10FJSVihsT004343SP-04
Systemwalker Service Quality Coordinator Enterprise Edition for Linux [d]V13.4RHEL5(x86)/ RHEL5(Intel64)FJSVihsT004339LP-04
Systemwalker Service Quality Coordinator Enterprise Edition for Linux [d]V13.5.0RHEL5(x86)/ RHEL5(Intel64)FJSVihsT004339LP-04
Systemwalker Service Quality Coordinator Enterprise Edition for Linux [d]V13.5.0RHEL6(x86)/ RHEL6(Intel64)FJSVihsT006033LP-01
Systemwalker Software Configuration Manager
ProductsVersionTarget OSPackage namePatch ID.
Systemwalker Software Configuration Manager for Windows [c]V14.1.0Windows Server 2008 R2F3FMihsT004344WP-04



  1. For products where the patch ID is "None", no patch will be provided, since Apache HTTP Server Version 1.3 on which Interstage HTTP Server based is not affected by this vulnerability.



The following "3-3 workaround" depends on the product. Refer to the letter in the square brackets at the end of the product name for details.


Note: Determining the affected product

To check the software version, refer to the "FUJITSU SOFTWARE RELEASE GUIDE" supplied with the product.

3-3. Workaround

To avoid the problem, edit the environment definition file (httpd.conf) in one of the following ways. After the file is edited, Interstage HTTP Server must be restarted.
Additionally, the method that outputs and confirms the Range header and Request-Range header content in the access log is also defined.

  • For [a] products: According to the Apache advisory, there are no vulnerability effects. However, it is recommended that the definition be changed since unexpected loads may occur.
    1. Set an error to occur if too many ranges are specified in the Range header of the request.
      • < Side Effect >
        • Clients which specifis too many ranges in the Range header may not run correctly.
      • < Note >
        • Check the LoadModule and AddModule directive definitions of the mod_rewrite module. If directives are enabled in the initial settings definition of the Interstage HTTP Server environment definition file (httpd.conf), change them to comment lines to disable them, and put the mod_rewrite module after all the LoadModule directive definitions so that it takes priority of other modules.
        • In the virtual host, set the rewrite feature directive (RewriteEngine/RewriteCond/RewriteRule) for each virtual host.
      • < Example >
        • Set an error to occur when requests are specified in more than 5 ranges in the Range header:
            ...
          #LoadModule info_module modules/mod_info.so
          #LoadModule speling_module modules/mod_speling.so
          #LoadModule rewrite_module modules/mod_rewrite.so
          #LoadModule anon_auth_module modules/mod_auth_anon.so
          #LoadModule dbm_auth_module modules/mod_auth_dbm.so
            ...
          AddModule mod_alias.c
          #AddModule mod_rewrite.c
          AddModule mod_access.c
            ...
          LoadModule jk2_module "C:/Interstage/F3FMjs4/gateway/mod_jk2.dll"
            ...

          LoadModule rewrite_module modules/mod_rewrite.so
          AddModule mod_rewrite.c

          # Reject request when more than 5 ranges in the Range: header.
          # CVE-2011-3192
          #
          RewriteEngine on
          RewriteCond %{HTTP:range} !(bytes=[^,]+(,[^,]+){0,4}$|^$) [NC,OR]
          RewriteCond %{HTTP:request-range} !(bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
          RewriteRule .* - [F]
    For [a] products, the method that outputs the Range header and Request-Range header content to the access log is shown as follows:
    • Add the LogFormat directive.
      LogFormat "%h %l %u %t \"%r\" %&gt;s %b \"%{Range}i\" \"%{Request-Range}i\"" ihs-range
    • Change the format nickname specified for the CustomLog directive.
      Before change: CustomLog "|ihsrlog -s logs/accesslog 1 5" common
      After change: CustomLog "|ihsrlog -s logs/accesslog 1 5" ihs-range
  • For [b] products:
    According to the Apache advisory, there are no vulnerability effects. However, it is recommended that the definition be changed since unexpected loads may occur.
    1. Set an error to occur if too many ranges are specified in the Range header of the request.
      • < Side Effect >
        • Clients which specifis too many ranges in the Range header may not run correctly.
      • < Note >
        • Check the LoadModule and AddModule directive definitions of the mod_rewrite module. If directives are enabled in the initial settings definition of the Interstage HTTP Server environment definition file (httpd.conf), change them to comment lines to disable them, and put the mod_rewrite module after all the LoadModule directive definitions so that it takes priority of other modules.
        • In the virtual host, set the rewrite feature directive (RewriteEngine/RewriteCond/RewriteRule) for each virtual host.
      • < Example >
        • Set an error to occur when requests are specified in more than 5 ranges in the Range header:

            ...
          LoadModule vhost_alias_module libexec/mod_vhost_alias.so
          LoadModule env_module libexec/mod_env.so
          #LoadModule rewrite_module libexec/mod_rewrite.so
          LoadModule access_module libexec/mod_access.so
          LoadModule auth_module libexec/mod_auth.so
            ...
          AddModule mod_alias.c
          #AddModule mod_rewrite.c
          AddModule mod_access.c
            ...
          LoadModule jk2_module /opt/FJSVjs4/gateway/mod_jk2.so
            ...

          LoadModule rewrite_module libexec/mod_rewrite.so
          AddModule mod_rewrite.c

          # Reject request when more than 5 ranges in the Range: header.
          # CVE-2011-3192
          #
          RewriteEngine on
          RewriteCond %{HTTP:range} !(bytes=[^,]+(,[^,]+){0,4}$|^$) [NC,OR]
          RewriteCond %{HTTP:request-range} !(bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
          RewriteRule .* - [F]
    For [b] products, the method that outputs the Range header and Request-Range header content to the access log is shown as follows:
    • Add the LogFormat directive.
      LogFormat "%h %l %u %t \"%r\" %&gt;s %b \"%{Range}i\" \"%{Request-Range}i\"" ihs-range
    • Change the format nickname specified for the CustomLog directive.
      Before change: CustomLog "|/opt/FJSVihs/bin/ihsrlog -s /opt/FJSVihs/logs/accesslog 1 5" common
      After change: CustomLog "|/opt/FJSVihs/bin/ihsrlog -s /opt/FJSVihs/logs/accesslog 1 5" ihs-range
  • For [c] products:
    1. Set an error to occur if too many ranges are specified in the Range header of the request.
      • < Side Effect >
        • Clients which specifis too many ranges in the Range header may not run correctly.
      • < Note >
        • In the virtual host, set the rewrite feature directive (RewriteEngine/RewriteCond/RewriteRule) for each virtual host.
      • < Example >
        • Set an error to occur when requests are specified in more than 5 ranges in the Range header:

          LoadModule headers_module "C:/Interstage/F3FMihs/modules/mod_headers.so"
          LoadModule rewrite_module "C:/Interstage/F3FMihs/modules/mod_rewrite.so"

          # Reject request when more than 5 ranges in the Range: header.
          # CVE-2011-3192
          #
          RewriteEngine on
          RewriteCond %{HTTP:range} !(bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
          RewriteRule .* - [F]

          # We always drop Request-Range; as this is a legacy
          # dating back to MSIE3 and Netscape 2 and 3.
          RequestHeader unset Request-Range
    2. Disable the Range header.
      • < Side Effect >
        • Clients which specifis too many ranges in the Range header may not run correctly.
      • < Example >
        • LoadModule headers_module "C:/Interstage/F3FMihs/modules/mod_headers.so"

          RequestHeader unset Range

          # We always drop Request-Range; as this is a legacy
          # dating back to MSIE3 and Netscape 2 and 3.
          RequestHeader unset Request-Range
    For [c] products, the method that outputs the Range header and Request-Range header content to the access log is shown as follows:
    • Add the LogFormat directive.
      LogFormat "%h %l %u %t \"%r\" %&gt;s %b %A:%p %{Host}i %P %S %{UNIQUE_ID}e \"%{Range}i\" \"%{Request-Range}i\"" ihs-range
    • Change the format nickname specified for the CustomLog directive.
      Before change: CustomLog "|ihsrlog.exe -s logs/accesslog 1 5" ihs-analysis
      After change: CustomLog "|ihsrlog.exe -s logs/accesslog 1 5" ihs-range
  • For [d] products:
    1. Set an error to occur if too many ranges are specified in the Range header of the request.
      • < Side Effect >
        • Clients which specifis too many ranges in the Range header may not run correctly.
      • < Note >
        • In the virtual host, set the rewrite feature directive (RewriteEngine/RewriteCond/RewriteRule) for each virtual host.
      • < Example >
        • Set an error to occur when requests are specified in more than 5 ranges in the Range header:

          LoadModule headers_module "/opt/FJSVihs/modules/mod_headers.so"
          LoadModule rewrite_module "/opt/FJSVihs/modules/mod_rewrite.so"

          # Reject request when more than 5 ranges in the Range: header.
          # CVE-2011-3192
          #
          RewriteEngine on
          RewriteCond %{HTTP:range} !(bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
          RewriteRule .* - [F]

          # We always drop Request-Range; as this is a legacy
          # dating back to MSIE3 and Netscape 2 and 3.
          RequestHeader unset Request-Range
    2. Disable the Range header.
      • < Side Effect >
        • Clients that use HTTP streaming may not run correctly.
      • < Example >
        • LoadModule headers_module "/opt/FJSVihs/modules/mod_headers.so"

          RequestHeader unset Range

          # We always drop Request-Range; as this is a legacy
          # dating back to MSIE3 and Netscape 2 and 3.
          RequestHeader unset Request-Range
    For [d] products, the method that outputs the Range header and Request-Range header content to the access log is shown as follows:
    • Add the LogFormat directive.
      LogFormat "%h %l %u %t \"%r\" %&gt;s %b %A:%p %{Host}i %P %S %{UNIQUE_ID}e \"%{Range}i\" \"%{Request-Range}i\"" ihs-range
    • Change the format nickname specified for the CustomLog directive.
      Before change: CustomLog "|/opt/FJSVihs/bin/ihsrlog -s logs/accesslog 1 5" ihs-analysis
      After change: CustomLog "|/opt/FJSVihs/bin/ihsrlog -s logs/accesslog 1 5" ihs-range

4. Related information

  • CVE-2011-3192
    The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192

5. Revision history

  • February 20th, 2012: 7th release
    • Change the Patch ID in "3-2. Affected products and required patch".
  • December 28th, 2011: 6th release
    • Change the Patch ID in "3-2. Affected products and required patch".
    • Add the following products to "3-2. Affected products and required patch".
      • Interstage Application Server Enterprise Edition for Windows [c]    V10.0.0    Windows 2003/ 2003R2/ 2008/ 2008R2
      • Interstage Application Server Standard-J Edition for Windows [c]    V10.0.0    Windows 2003/ 2003R2/ 2008/ 2008R2
      • Interstage Application Server Enterprise Edition for Windows [c]    V10.0.0    Windows(EM64T) 2003/ 2003R2/ 2008/ 2008R2
      • Interstage Application Server Standard-J Edition for Windows [c]    V10.0.0    Windows(EM64T) 2003/ 2003R2/ 2008/ 2008R2
      • Interstage Application Server Enterprise Edition [d]    V10.0.0    Solaris 9/ 10
      • Interstage Application Server Standard-J Edition [d]    V10.0.0    Solaris 9/ 10
      • Interstage Application Server Enterprise Edition for Linux [d]    V10.0.0    RHEL5(x86)/ RHEL5(Intel64)
      • Interstage Application Server Standard-J Edition for Linux [d]    V10.0.0    RHEL5(x86)/ RHEL5(Intel64)
      • Interstage Application Server Enterprise Edition for Linux [d]    V10.0.0    RHEL6(x86)/ RHEL6(Intel64)
      • Interstage Application Server Standard-J Edition for Linux [d]    V10.0.0    RHEL6(x86)/ RHEL6(Intel64)
      • Interstage Application Server Enterprise Edition for Linux [d]    V10.0.0    RHEL5(Intel64)
      • Interstage Application Server Standard-J Edition for Linux [d]    V10.0.0    RHEL5(Intel64)
      • Interstage Application Server Enterprise Edition for Linux [d]    V10.0.0    RHEL6(Intel64)
      • Interstage Application Server Standard-J Edition for Linux [d]    V10.0.0    RHEL6(Intel64)
      • Interstage Studio Standard-J Edition for Windows [c]    V10.0.0    Windows 2003/ 2003R2/ 2008/ 2008R2/ XP/ Vista/ 7
  • December 21st, 2011: 5th release
    • Change the Patch ID in "3-2. Affected products and required patch".
  • December 15th, 2011: 4th release
    • Change the Patch ID in "3-2. Affected products and required patch".
  • December 12th, 2011: 3rd release
    • Change the Patch ID and Scheduled Date in "3-2. Affected products and required patch".
  • December 2nd, 2011: 2nd release
    • Add the patch schedule to "3-2. Affected products and required patch".
  • November 7th, 2011: Initial release

Top of Page