Interstage HTTP Server: Security Vulnerability Problem (CVE-2011-3192). February 20th, 2012
1. Description
Due to a problem with the processing of the Range header in Apache HTTP Server, Denial of Service (DoS) vulnerability (CVE-2011-3192) have been confirmed.
Apache HTTP Server Version 2.0-based Interstage HTTP Server is affected by this vulnerability.
Apache HTTP Server Version 1.3-based Interstage HTTP Server is not affected by this vulnerability.
Fujitsu provides security patches shown in 3. Please apply them as soon as possible.
2. Impact
A modified request sent by a remote attacker may consume large amounts of memory and CPU on the Web server and cause Denial of Service (DoS).
3. Affected systems and corresponding action
3-1. Affected systems:
GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, AT-compatible machine, PRIMEQUEST, SPARC Enterprise
3-2. Affected products and required patch
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Cloud Infrastructure Management Software [c] | V1.2.0 | Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | F3FMihs | T004344WP-04 |
Cloud Infrastructure Management Software [d] | V1.2.0 | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | T004339LP-04 |
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Interstage Application Server Enterprise Edition for Windows [a] | V5.0 | Windows NT4.0/ Windows 2000 Server | F3FMihs | None [*i] |
Interstage Application Server Enterprise Edition for Windows [a] | V6.0 | Windows NT4.0/ Windows 2000 Server/ Windows Server 2003 | F3FMihs | None [*i] |
Interstage Application Server Enterprise Edition for Windows [a] | V7.0/ V7.0.1 | Windows 2000 Server/ Windows Server 2003 | F3FMihs | None [*i] |
Interstage Application Server Enterprise Edition for Windows [a] | 8.0.0/ 8.0.1/ 8.0.2 | Windows 2000 Server/ Windows Server 2003 | F3FMihs | None [*i] |
Interstage Application Server Enterprise Edition for Windows [c] | V9.0.0/ V9.0.0A | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2 | F3FMihs | T001001WP-08 |
Interstage Application Server Enterprise Edition for Windows [c] | V9.1.0/ V9.1.0B | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008 | F3FMihs | T002174WP-05 |
Interstage Application Server Enterprise Edition for Windows [c] | V9.2.0 | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | F3FMihs | T004344WP-04 |
Interstage Application Server Enterprise Edition for Windows [c] | V10.0.0 | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | F3FMihs | T006036WP-01 |
Interstage Application Server Standard Edition for Windows [a] | V5.0 | Windows NT4.0/ Windows 2000 Server | F3FMihs | None [*i] |
Interstage Application Server Standard-J Edition for Windows [a] | 8.0.0/ 8.0.1/ 8.0.2 | Windows 2000 Server/ Windows Server 2003 | F3FMihs | None [*i] |
Interstage Application Server Standard-J Edition for Windows [c] | V9.0.0/ V9.0.0A/ V9.0.0B | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2 | F3FMihs | T001001WP-08 |
Interstage Application Server Standard-J Edition for Windows [c] | V9.1.0/ V9.1.0B | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008 | F3FMihs | T002174WP-05 |
Interstage Application Server Standard-J Edition for Windows [c] | V9.2.0 | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | F3FMihs | T004344WP-04 |
Interstage Application Server Standard-J Edition for Windows [c] | V10.0.0 | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | F3FMihs | T006036WP-01 |
Interstage Application Server Web-J Edition for Windows [a] | V5.0 | Windows NT4.0/ Windows 2000 Server | F3FMihs | None [*i] |
Interstage Application Server Plus for Windows [a] | V5.0.1 | Windows NT4.0/ Windows 2000 Server | F3FMihs | None [*i] |
Interstage Application Server Plus for Windows [a] | V6.0 | Windows NT4.0/ Windows 2000 Server/ Windows Server 2003 | F3FMihs | None [*i] |
Interstage Application Server Plus for Windows [a] | V7.0/ V7.0.1 | Windows 2000 Server/ Windows Server 2003 | F3FMihs | None [*i] |
Interstage Application Server Plus Developer for Windows [a] | V5.0.1 | Windows NT4.0/ Windows 2000 Server/ Windows XP | F3FMihs | None [*i] |
Interstage Application Server Plus Developer for Windows [a] | V6.0 | Windows NT4.0/ Windows 2000 Server/ Windows XP/ Windows Server 2003 | F3FMihs | None [*i] |
Interstage Application Server Plus Developer for Windows [a] | V7.0 | Windows 2000 Server/ Windows XP/ Windows Server 2003 | F3FMihs | None [*i] |
Interstage Application Server Enterprise Edition for Windows [a] | 8.0.0 | Windows(IPF) Server 2003 | F3FMihs | None [*i] |
Interstage Application Server Enterprise Edition for Windows [c] | V9.0.0 | Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2 | F3FMihs | T001005IP-06 |
Interstage Application Server Enterprise Edition for Windows [c] | V9.1.0 | Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2/ Windows(IPF) Server 2008 | F3FMihs | T002175IP-05 |
Interstage Application Server Enterprise Edition for Windows [c] | V9.2.0 | Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2/ Windows(IPF) Server 2008 | F3FMihs | T004345IP-04 |
Interstage Application Server Standard-J Edition for Windows [c] | V9.0.0 | Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2 | F3FMihs | T001005IP-06 |
Interstage Application Server Standard-J Edition for Windows [c] | V9.1.0 | Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2/ Windows(IPF) Server 2008 | F3FMihs | T002175IP-05 |
Interstage Application Server Standard-J Edition for Windows [c] | V9.2.0 | Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2/ Windows(IPF) Server 2008 | F3FMihs | T004345IP-04 |
Interstage Application Server Enterprise Edition for Windows [c] | V9.2.0 | Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2 | F3FMihs | T004346XP-04 |
Interstage Application Server Enterprise Edition for Windows [c] | V10.0.0 | Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2 | F3FMihs | T006037XP-01 |
Interstage Application Server Standard-J Edition for Windows [c] | V9.2.0 | Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2 | F3FMihs | T004346XP-04 |
Interstage Application Server Standard-J Edition for Windows [c] | V10.0.0 | Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2 | F3FMihs | T006037XP-01 |
Interstage Application Server Enterprise Edition [b] | 5.0 | Solaris 7/ 8/ 9 | FJSVihs | None [*i] |
Interstage Application Server Enterprise Edition [b] | 5.0.1 | Solaris 7/ 8/ 9 | FJSVihs | None [*i] |
Interstage Application Server Enterprise Edition [b] | 6.0 | Solaris 7/ 8/ 9 | FJSVihs | None [*i] |
Interstage Application Server Enterprise Edition [b] | 7.0 | Solaris 8/ 9 | FJSVihs | None [*i] |
Interstage Application Server Enterprise Edition [b] | 7.0.1 | Solaris 8/ 9/ 10 | FJSVihs | None [*i] |
Interstage Application Server Enterprise Edition [b] | 8.0.0/ 8.0.2 | Solaris 9/ 10 | FJSVihs | None [*i] |
Interstage Application Server Enterprise Edition [d] | V9.0.0/ V9.0.0B | Solaris 9/ 10 | FJSVihs | T001004SP-08 |
Interstage Application Server Enterprise Edition [d] | V9.1.0/ V9.1.0B | Solaris 9/ 10 | FJSVihs | T002180SP-06 |
Interstage Application Server Enterprise Edition [d] | V9.2.0 | Solaris 9/ 10 | FJSVihs | T004343SP-04 |
Interstage Application Server Enterprise Edition [d] | V10.0.0 | Solaris 9/ 10 | FJSVihs | T006035SP-01 |
Interstage Application Server Standard Edition [b] | 5.0 | Solaris 7/ 8/ 9 | FJSVihs | None [*i] |
Interstage Application Server Standard-J Edition [b] | 8.0.0/ 8.0.2 | Solaris 9/ 10 | FJSVihs | None [*i] |
Interstage Application Server Standard-J Edition [d] | V9.0.0 | Solaris 9/ 10 | FJSVihs | T001004SP-08 |
Interstage Application Server Standard-J Edition [d] | V9.1.0/ V9.1.0B | Solaris 9/ 10 | FJSVihs | T002180SP-06 |
Interstage Application Server Standard-J Edition [d] | V9.2.0 | Solaris 9/ 10 | FJSVihs | T004343SP-04 |
Interstage Application Server Standard-J Edition [d] | V10.0.0 | Solaris 9/ 10 | FJSVihs | T006035SP-01 |
Interstage Application Server Web-J Edition [b] | 5.0 | Solaris 7/ 8/ 9 | FJSVihs | None [*i] |
Interstage Application Server Plus [b] | 7.0 | Solaris 8/ 9 | FJSVihs | None [*i] |
Interstage Application Server Plus [b] | 7.0.1 | Solaris 8/ 9/ 10 | FJSVihs | None [*i] |
Interstage Application Server Enterprise Edition for Linux [b] | V5.0 | Turbolinux 7 Server | FJSVihs | None [*i] |
Interstage Application Server Standard Edition for Linux [b] | V5.0 | Turbolinux 7 Server | FJSVihs | None [*i] |
Interstage Application Server Web-J Edition for Linux [b] | V5.0 | Turbolinux 7 Server | FJSVihs | None [*i] |
Interstage Application Server Enterprise Edition for Linux [b] | V6.0 | RHEL-AS3(x86)/ ES3(x86) | FJSVihs | None [*i] |
Interstage Application Server Enterprise Edition for Linux [b] | V7.0 | RHEL-AS3(x86)/ ES3(x86) | FJSVihs | None [*i] |
Interstage Application Server Plus for Linux [b] | V7.0 | RHEL-AS3(x86)/ ES3(x86) | FJSVihs | None [*i] |
Interstage Application Server Enterprise Edition for Linux [b] | V7.0.1 | RHEL-AS3(x86)/ ES3(x86)/ AS4(x86) | FJSVihs | None [*i] |
Interstage Application Server Plus for Linux [b] | V7.0.1 | RHEL-AS3(x86)/ ES3(x86)/ AS4(x86) | FJSVihs | None [*i] |
Interstage Application Server Enterprise Edition for Linux [b] | 8.0.0/ 8.0.2 | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | None [*i] |
Interstage Application Server Enterprise Edition for Linux [d] | V9.0.0 | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | T001003LP-06 |
Interstage Application Server Enterprise Edition for Linux [d] | V9.1.0/ V9.1.0B | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | T002176LP-05 |
Interstage Application Server Enterprise Edition for Linux [d] | V9.2.0/ V9.3.1 | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | T004338LP-04 |
Interstage Application Server Standard-J Edition for Linux [b] | 8.0.0/ 8.0.2 | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | None [*i] |
Interstage Application Server Standard-J Edition for Linux [d] | V9.0.0 | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | T001003LP-06 |
Interstage Application Server Standard-J Edition for Linux [d] | V9.1.0/ V9.1.0B | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | T002176LP-05 |
Interstage Application Server Standard-J Edition for Linux [d] | V9.2.0/ V9.3.1 | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | T004338LP-04 |
Interstage Application Server Enterprise Edition for Linux [d] | V9.0.0 | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | T001044LP-06 |
Interstage Application Server Enterprise Edition for Linux [d] | V9.1.0/ V9.1.0B | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | T002177LP-05 |
Interstage Application Server Enterprise Edition for Linux [d] | V9.2.0/ V9.3.1 | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | T004339LP-04 |
Interstage Application Server Enterprise Edition for Linux [d] | V10.0.0 | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | T006038LP-01 |
Interstage Application Server Standard-J Edition for Linux [d] | V9.0.0 | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | T001044LP-06 |
Interstage Application Server Standard-J Edition for Linux [d] | V9.1.0/ V9.1.0B | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | T002177LP-05 |
Interstage Application Server Standard-J Edition for Linux [d] | V9.2.0/ V9.3.1 | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | T004339LP-04 |
Interstage Application Server Standard-J Edition for Linux [d] | V10.0.0 | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | T006038LP-01 |
Interstage Application Server Enterprise Edition for Linux [d] | V9.3.1 | RHEL6(x86)/ RHEL6(Intel64) | FJSVihs | T006033LP-01 |
Interstage Application Server Enterprise Edition for Linux [d] | V10.0.0 | RHEL6(x86)/ RHEL6(Intel64) | FJSVihs | T006039LP-01 |
Interstage Application Server Standard-J Edition for Linux [d] | V9.3.1 | RHEL6(x86)/ RHEL6(Intel64) | FJSVihs | T006033LP-01 |
Interstage Application Server Standard-J Edition for Linux [d] | V10.0.0 | RHEL6(x86)/ RHEL6(Intel64) | FJSVihs | T006039LP-01 |
Interstage Application Server Enterprise Edition for Linux [b] | V7.0 | RHEL-AS4(IPF) | FJSVihs | None [*i] |
Interstage Application Server Enterprise Edition for Linux [b] | 8.0.0/ 8.0.1/ 8.0.2 | RHEL-AS4(IPF) | FJSVihs | None [*i] |
Interstage Application Server Enterprise Edition for Linux [d] | V9.0.0/ V9.0.0A | RHEL-AS4(IPF) | FJSVihs | T001002QP-07 |
Interstage Application Server Enterprise Edition for Linux [d] | V9.1.0 | RHEL-AS4(IPF) | FJSVihs | T002178QP-05 |
Interstage Application Server Enterprise Edition for Linux [d] | V9.2.0 | RHEL-AS4(IPF) | FJSVihs | T004340QP-04 |
Interstage Application Server Standard-J Edition for Linux [d] | V9.0.0 | RHEL-AS4(IPF) | FJSVihs | T001002QP-07 |
Interstage Application Server Standard-J Edition for Linux [d] | V9.1.0 | RHEL-AS4(IPF) | FJSVihs | T002178QP-05 |
Interstage Application Server Standard-J Edition for Linux [d] | V9.2.0 | RHEL-AS4(IPF) | FJSVihs | T004340QP-04 |
Interstage Application Server Enterprise Edition for Linux [d] | V9.0.0/ V9.0.0A | RHEL5(IPF) | FJSVihs | T001043QP-07 |
Interstage Application Server Enterprise Edition for Linux [d] | V9.1.0 | RHEL5(IPF) | FJSVihs | T002179QP-05 |
Interstage Application Server Enterprise Edition for Linux [d] | V9.2.0 | RHEL5(IPF) | FJSVihs | T004341QP-04 |
Interstage Application Server Standard-J Edition for Linux [d] | V9.0.0 | RHEL5(IPF) | FJSVihs | T001043QP-07 |
Interstage Application Server Standard-J Edition for Linux [d] | V9.1.0 | RHEL5(IPF) | FJSVihs | T002179QP-05 |
Interstage Application Server Standard-J Edition for Linux [d] | V9.2.0 | RHEL5(IPF) | FJSVihs | T004341QP-04 |
Interstage Application Server Enterprise Edition for Linux [d] | V9.2.0/ V9.3.1 | RHEL5(Intel64) | FJSVihs | T004342LP-04 |
Interstage Application Server Enterprise Edition for Linux [d] | V10.0.0 | RHEL5(Intel64) | FJSVihs | T006040LP-01 |
Interstage Application Server Standard-J Edition for Linux [d] | V9.2.0/ V9.3.1 | RHEL5(Intel64) | FJSVihs | T004342LP-04 |
Interstage Application Server Standard-J Edition for Linux [d] | V10.0.0 | RHEL5(Intel64) | FJSVihs | T006040LP-01 |
Interstage Application Server Enterprise Edition for Linux [d] | V9.3.1 | RHEL6(Intel64) | FJSVihs | T006034LP-01 |
Interstage Application Server Enterprise Edition for Linux [d] | V10.0.0 | RHEL6(Intel64) | FJSVihs | T006041LP-01 |
Interstage Application Server Standard-J Edition for Linux [d] | V9.3.1 | RHEL6(Intel64) | FJSVihs | T006034LP-01 |
Interstage Application Server Standard-J Edition for Linux [d] | V10.0.0 | RHEL6(Intel64) | FJSVihs | T006041LP-01 |
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Interstage Application Development Cycle Manager Enterprise Edition for Windows [c] | V10.1.0 | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | F3FMihs | T002174WP-05 |
Interstage Application Development Cycle Manager Enterprise Edition for Windows [c] | V10.2 | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | F3FMihs | T004344WP-04 |
Interstage Application Development Cycle Manager Standard Edition for Windows [c] | V10.0.0/ V10.0.0A/ V10.1.0 | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | F3FMihs | T002174WP-05 |
Interstage Application Development Cycle Manager Standard Edition for Windows [c] | V10.2 | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | F3FMihs | T004344WP-04 |
Interstage Application Development Cycle Manager Standard Edition [d] | V10.0.0A | Solaris 9/ 10 | FJSVihs | T002180SP-06 |
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Interstage Business Application Server Enterprise Edition for Linux [b] | 8.0.0 | RHEL-AS4(IPF) | FJSVihs | None [*i] |
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Interstage Job Workload Server for Linux [b] | 8.1.0 | RHEL-AS4(IPF) | FJSVihs | None [*i] |
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Interstage Service Integrator Standard Edition for Windows [c] | V9.0.0/ V9.0.0A | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2 | F3FMihs | T001001WP-08 |
Interstage Service Integrator Enterprise Edition [d] | V9.0.0/ V9.0.0A | Solaris 9/ 10 | FJSVihs | T001004SP-08 |
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Interstage Software Quality Analyzer for Windows [c] | V10.0.0/ V10.0.0A | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008 | F3FMihs | T002174WP-05 |
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Interstage Studio Enterprise Edition for Windows [a] | 8.0.1 | Windows 2000 Server/ Windows XP/ Windows Server 2003 | F3FMihs | None [*i] |
Interstage Studio Enterprise Edition for Windows [c] | V9.0.0 | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows XP/ Windows Vista | F3FMihs | T001001WP-08 |
Interstage Studio Enterprise Edition for Windows [c] | V9.1.0/ V9.1.0B | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows XP/ Windows Vista | F3FMihs | T002174WP-05 |
Interstage Studio Enterprise Edition for Windows [c] | V9.2.0 | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows XP/ Windows Vista/ Windows 7 | F3FMihs | T004344WP-04 |
Interstage Studio Standard-J Edition for Windows [a] | 8.0.1 | Windows 2000 Server/ Windows XP/ Windows Server 2003 | F3FMihs | None [*i] |
Interstage Studio Standard-J Edition for Windows [c] | V9.0.0 | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows XP/ Windows Vista | F3FMihs | T001001WP-08 |
Interstage Studio Standard-J Edition for Windows [c] | V9.1.0/ V9.1.0B | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows XP/ Windows Vista | F3FMihs | T002174WP-05 |
Interstage Studio Standard-J Edition for Windows [c] | V9.2.0 | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows XP/ Windows Vista/ Windows 7 | F3FMihs | T004344WP-04 |
Interstage Studio Standard-J Edition for Windows [c] | V10.0.0 | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows XP/ Windows Vista/ Windows 7 | F3FMihs | T006036WP-01 |
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Systemwalker Availability View Enterprise Edition [c] | V13.3.0/ V13.3.0A | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008 | F3FMihs | T002174WP-05 |
Systemwalker Availability View Standard Edition [c] | V13.3.0/ V13.3.0A | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008 | F3FMihs | T002174WP-05 |
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Systemwalker IT Process Master Standard Edition for Windows [c] | V13.3.1 | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008 | F3FMihs | T002174WP-05 |
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Systemwalker Runbook Automation V14g for Windows [c] | 14.1.0/ 14.1.0A | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | F3FMihs | T004344WP-04 |
Systemwalker Runbook Automation V14g for SOP [d] | 14.0.0 | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | T004339LP-04 |
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Systemwalker Service Catalog Manager V14g for Windows [c] | V14.1.0 | Windows Server 2008 R2 | F3FMihs | T004344WP-04 |
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Systemwalker Service Quality Coordinator Enterprise Edition for Windows [c] | V13.4/ V13.5.0 | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | F3FMihs | T004344WP-04 |
Systemwalker Service Quality Coordinator Enterprise Edition [d] | V13.4/ V13.5.0 | Solaris 9/ 10 | FJSVihs | T004343SP-04 |
Systemwalker Service Quality Coordinator Enterprise Edition for Linux [d] | V13.4 | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | T004339LP-04 |
Systemwalker Service Quality Coordinator Enterprise Edition for Linux [d] | V13.5.0 | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | T004339LP-04 |
Systemwalker Service Quality Coordinator Enterprise Edition for Linux [d] | V13.5.0 | RHEL6(x86)/ RHEL6(Intel64) | FJSVihs | T006033LP-01 |
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Systemwalker Software Configuration Manager for Windows [c] | V14.1.0 | Windows Server 2008 R2 | F3FMihs | T004344WP-04 |
- For products where the patch ID is "None", no patch will be provided, since Apache HTTP Server Version 1.3 on which Interstage HTTP Server based is not affected by this vulnerability.
The following "3-3 workaround" depends on the product. Refer to the letter in the square brackets at the end of the product name for details.
Note: Determining the affected product
To check the software version, refer to the "FUJITSU SOFTWARE RELEASE GUIDE" supplied with the product.
3-3. Workaround
To avoid the problem, edit the environment definition file (httpd.conf) in one of the following ways. After the file is edited, Interstage HTTP Server must be restarted.
Additionally, the method that outputs and confirms the Range header and Request-Range header content in the access log is also defined.
- For [a] products: According to the Apache advisory, there are no vulnerability effects. However, it is recommended that the definition be changed since unexpected loads may occur.
- Set an error to occur if too many ranges are specified in the Range header of the request.
- < Side Effect >
- Clients which specifis too many ranges in the Range header may not run correctly.
- < Note >
- Check the LoadModule and AddModule directive definitions of the mod_rewrite module. If directives are enabled in the initial settings definition of the Interstage HTTP Server environment definition file (httpd.conf), change them to comment lines to disable them, and put the mod_rewrite module after all the LoadModule directive definitions so that it takes priority of other modules.
- In the virtual host, set the rewrite feature directive (RewriteEngine/RewriteCond/RewriteRule) for each virtual host.
- < Example >
- Set an error to occur when requests are specified in more than 5 ranges in the Range header:
...
#LoadModule info_module modules/mod_info.so
#LoadModule speling_module modules/mod_speling.so
#LoadModule rewrite_module modules/mod_rewrite.so
#LoadModule anon_auth_module modules/mod_auth_anon.so
#LoadModule dbm_auth_module modules/mod_auth_dbm.so
...
AddModule mod_alias.c
#AddModule mod_rewrite.c
AddModule mod_access.c
...
LoadModule jk2_module "C:/Interstage/F3FMjs4/gateway/mod_jk2.dll"
...
LoadModule rewrite_module modules/mod_rewrite.so
AddModule mod_rewrite.c
# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(bytes=[^,]+(,[^,]+){0,4}$|^$) [NC,OR]
RewriteCond %{HTTP:request-range} !(bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
RewriteRule .* - [F]
- Set an error to occur when requests are specified in more than 5 ranges in the Range header:
- < Side Effect >
- Add the LogFormat directive.
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Range}i\" \"%{Request-Range}i\"" ihs-range - Change the format nickname specified for the CustomLog directive.
Before change: CustomLog "|ihsrlog -s logs/accesslog 1 5" common
After change: CustomLog "|ihsrlog -s logs/accesslog 1 5" ihs-range
- Set an error to occur if too many ranges are specified in the Range header of the request.
- For [b] products:
According to the Apache advisory, there are no vulnerability effects. However, it is recommended that the definition be changed since unexpected loads may occur.- Set an error to occur if too many ranges are specified in the Range header of the request.
- < Side Effect >
- Clients which specifis too many ranges in the Range header may not run correctly.
- < Note >
- Check the LoadModule and AddModule directive definitions of the mod_rewrite module. If directives are enabled in the initial settings definition of the Interstage HTTP Server environment definition file (httpd.conf), change them to comment lines to disable them, and put the mod_rewrite module after all the LoadModule directive definitions so that it takes priority of other modules.
- In the virtual host, set the rewrite feature directive (RewriteEngine/RewriteCond/RewriteRule) for each virtual host.
- < Example >
- Set an error to occur when requests are specified in more than 5 ranges in the Range header:
...
LoadModule vhost_alias_module libexec/mod_vhost_alias.so
LoadModule env_module libexec/mod_env.so
#LoadModule rewrite_module libexec/mod_rewrite.so
LoadModule access_module libexec/mod_access.so
LoadModule auth_module libexec/mod_auth.so
...
AddModule mod_alias.c
#AddModule mod_rewrite.c
AddModule mod_access.c
...
LoadModule jk2_module /opt/FJSVjs4/gateway/mod_jk2.so
...
LoadModule rewrite_module libexec/mod_rewrite.so
AddModule mod_rewrite.c
# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(bytes=[^,]+(,[^,]+){0,4}$|^$) [NC,OR]
RewriteCond %{HTTP:request-range} !(bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
RewriteRule .* - [F]
- Set an error to occur when requests are specified in more than 5 ranges in the Range header:
- < Side Effect >
- Add the LogFormat directive.
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Range}i\" \"%{Request-Range}i\"" ihs-range - Change the format nickname specified for the CustomLog directive.
Before change: CustomLog "|/opt/FJSVihs/bin/ihsrlog -s /opt/FJSVihs/logs/accesslog 1 5" common
After change: CustomLog "|/opt/FJSVihs/bin/ihsrlog -s /opt/FJSVihs/logs/accesslog 1 5" ihs-range
- Set an error to occur if too many ranges are specified in the Range header of the request.
- For [c] products:
- Set an error to occur if too many ranges are specified in the Range header of the request.
- < Side Effect >
- Clients which specifis too many ranges in the Range header may not run correctly.
- < Note >
- In the virtual host, set the rewrite feature directive (RewriteEngine/RewriteCond/RewriteRule) for each virtual host.
- < Example >
- Set an error to occur when requests are specified in more than 5 ranges in the Range header:
LoadModule headers_module "C:/Interstage/F3FMihs/modules/mod_headers.so"
LoadModule rewrite_module "C:/Interstage/F3FMihs/modules/mod_rewrite.so"
# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
RewriteRule .* - [F]
# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range
- Set an error to occur when requests are specified in more than 5 ranges in the Range header:
- < Side Effect >
- Disable the Range header.
- < Side Effect >
- Clients which specifis too many ranges in the Range header may not run correctly.
- < Example >
- LoadModule headers_module "C:/Interstage/F3FMihs/modules/mod_headers.so"
RequestHeader unset Range
# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range
- LoadModule headers_module "C:/Interstage/F3FMihs/modules/mod_headers.so"
- < Side Effect >
- Add the LogFormat directive.
LogFormat "%h %l %u %t \"%r\" %>s %b %A:%p %{Host}i %P %S %{UNIQUE_ID}e \"%{Range}i\" \"%{Request-Range}i\"" ihs-range - Change the format nickname specified for the CustomLog directive.
Before change: CustomLog "|ihsrlog.exe -s logs/accesslog 1 5" ihs-analysis
After change: CustomLog "|ihsrlog.exe -s logs/accesslog 1 5" ihs-range
- Set an error to occur if too many ranges are specified in the Range header of the request.
- For [d] products:
- Set an error to occur if too many ranges are specified in the Range header of the request.
- < Side Effect >
- Clients which specifis too many ranges in the Range header may not run correctly.
- < Note >
- In the virtual host, set the rewrite feature directive (RewriteEngine/RewriteCond/RewriteRule) for each virtual host.
- < Example >
- Set an error to occur when requests are specified in more than 5 ranges in the Range header:
LoadModule headers_module "/opt/FJSVihs/modules/mod_headers.so"
LoadModule rewrite_module "/opt/FJSVihs/modules/mod_rewrite.so"
# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(bytes=[^,]+(,[^,]+){0,4}$|^$) [NC]
RewriteRule .* - [F]
# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range
- Set an error to occur when requests are specified in more than 5 ranges in the Range header:
- < Side Effect >
- Disable the Range header.
- < Side Effect >
- Clients that use HTTP streaming may not run correctly.
- < Example >
- LoadModule headers_module "/opt/FJSVihs/modules/mod_headers.so"
RequestHeader unset Range
# We always drop Request-Range; as this is a legacy
# dating back to MSIE3 and Netscape 2 and 3.
RequestHeader unset Request-Range
- LoadModule headers_module "/opt/FJSVihs/modules/mod_headers.so"
- < Side Effect >
- Add the LogFormat directive.
LogFormat "%h %l %u %t \"%r\" %>s %b %A:%p %{Host}i %P %S %{UNIQUE_ID}e \"%{Range}i\" \"%{Request-Range}i\"" ihs-range - Change the format nickname specified for the CustomLog directive.
Before change: CustomLog "|/opt/FJSVihs/bin/ihsrlog -s logs/accesslog 1 5" ihs-analysis
After change: CustomLog "|/opt/FJSVihs/bin/ihsrlog -s logs/accesslog 1 5" ihs-range
- Set an error to occur if too many ranges are specified in the Range header of the request.
4. Related information
- CVE-2011-3192
The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
5. Revision history
- February 20th, 2012: 7th release
- Change the Patch ID in "3-2. Affected products and required patch".
- December 28th, 2011: 6th release
- Change the Patch ID in "3-2. Affected products and required patch".
- Add the following products to "3-2. Affected products and required patch".
- Interstage Application Server Enterprise Edition for Windows [c] V10.0.0 Windows 2003/ 2003R2/ 2008/ 2008R2
- Interstage Application Server Standard-J Edition for Windows [c] V10.0.0 Windows 2003/ 2003R2/ 2008/ 2008R2
- Interstage Application Server Enterprise Edition for Windows [c] V10.0.0 Windows(EM64T) 2003/ 2003R2/ 2008/ 2008R2
- Interstage Application Server Standard-J Edition for Windows [c] V10.0.0 Windows(EM64T) 2003/ 2003R2/ 2008/ 2008R2
- Interstage Application Server Enterprise Edition [d] V10.0.0 Solaris 9/ 10
- Interstage Application Server Standard-J Edition [d] V10.0.0 Solaris 9/ 10
- Interstage Application Server Enterprise Edition for Linux [d] V10.0.0 RHEL5(x86)/ RHEL5(Intel64)
- Interstage Application Server Standard-J Edition for Linux [d] V10.0.0 RHEL5(x86)/ RHEL5(Intel64)
- Interstage Application Server Enterprise Edition for Linux [d] V10.0.0 RHEL6(x86)/ RHEL6(Intel64)
- Interstage Application Server Standard-J Edition for Linux [d] V10.0.0 RHEL6(x86)/ RHEL6(Intel64)
- Interstage Application Server Enterprise Edition for Linux [d] V10.0.0 RHEL5(Intel64)
- Interstage Application Server Standard-J Edition for Linux [d] V10.0.0 RHEL5(Intel64)
- Interstage Application Server Enterprise Edition for Linux [d] V10.0.0 RHEL6(Intel64)
- Interstage Application Server Standard-J Edition for Linux [d] V10.0.0 RHEL6(Intel64)
- Interstage Studio Standard-J Edition for Windows [c] V10.0.0 Windows 2003/ 2003R2/ 2008/ 2008R2/ XP/ Vista/ 7
- December 21st, 2011: 5th release
- Change the Patch ID in "3-2. Affected products and required patch".
- December 15th, 2011: 4th release
- Change the Patch ID in "3-2. Affected products and required patch".
- December 12th, 2011: 3rd release
- Change the Patch ID and Scheduled Date in "3-2. Affected products and required patch".
- December 2nd, 2011: 2nd release
- Add the patch schedule to "3-2. Affected products and required patch".
- November 7th, 2011: Initial release