Interstage HTTP Server: Security Vulnerability (CVE-2012-0053). November 26th, 2013
1. Description
Interstage HTTP Server does not properly restrict header information in Bad Request (also known as 400) error documents. This vulnerability will allow remote attackers to obtain the values of HTTPOnly cookies.
This vulnerability corresponds to CVE-2012-0053.
Fujitsu provides security patches shown in 3. Please apply them as soon as possible.
2. Impact
A remote attacker could obtain the cookies of a user, if the user executes the malformed script provided by the remote attacker.
3. Affected systems and corresponding action
3-1. Affected systems:
GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, AT-compatible machine, PRIMEQUEST, SPARC Enterprise
3-2. Affected products and required patch
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Interstage Application Server Enterprise Edition for Windows [*a] | V5.0 | Windows NT4.0/ Windows 2000 Server | F3FMihs | None* |
Interstage Application Server Enterprise Edition for Windows [*a] | V6.0 | Windows NT4.0/ Windows 2000 Server/ Windows Server 2003 | F3FMihs | None* |
Interstage Application Server Enterprise Edition for Windows [*a] | V7.0/ V7.0.1 | Windows 2000 Server/ Windows Server 2003 | F3FMihs | None* |
Interstage Application Server Enterprise Edition for Windows [*a] | 8.0.0/ 8.0.1/ 8.0.2 | Windows 2000 Server/ Windows Server 2003 | F3FMihs | None* |
Interstage Application Server Enterprise Edition for Windows [*b] | V9.0.0/ V9.0.0A | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2 | F3FMihs | T001001WP-09 |
Interstage Application Server Enterprise Edition for Windows [*b] | V9.1.0/ V9.1.0B | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008 | F3FMihs | T002174WP-06 |
Interstage Application Server Enterprise Edition for Windows [*b] | V9.2.0 | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | F3FMihs | T004344WP-05 |
Interstage Application Server Enterprise Edition for Windows [*b] | V10.0.0 | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | F3FMihs | T006036WP-02 |
Interstage Application Server Enterprise Edition for Windows [*b] | V11.0.0 | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows Small Business Server 2011/ Windows Server 2012 | F3FMihs | T008632WP-01 |
Interstage Application Server Standard Edition for Windows [*a] | V5.0 | Windows NT4.0/ Windows 2000 Server | F3FMihs | None* |
Interstage Application Server Standard-J Edition for Windows [*a] | 8.0.0/ 8.0.1/ 8.0.2 | Windows 2000 Server/ Windows Server 2003 | F3FMihs | None* |
Interstage Application Server Standard-J Edition for Windows [*b] | V9.0.0/ V9.0.0A/ V9.0.0B | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2 | F3FMihs | T001001WP-09 |
Interstage Application Server Standard-J Edition for Windows [*b] | V9.1.0/ V9.1.0B | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008 | F3FMihs | T002174WP-06 |
Interstage Application Server Standard-J Edition for Windows [*b] | V9.2.0 | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | F3FMihs | T004344WP-05 |
Interstage Application Server Standard-J Edition for Windows [*b] | V10.0.0 | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | F3FMihs | T006036WP-02 |
Interstage Application Server Standard-J Edition for Windows [*b] | V11.0.0 | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows Small Business Server 2011/ Windows Server 2012 | F3FMihs | T008632WP-01 |
Interstage Application Server Web-J Edition for Windows [*a] | V5.0 | Windows NT4.0/ Windows 2000 Server | F3FMihs | None* |
Interstage Application Server Plus for Windows [*a] | V5.0.1 | Windows NT4.0/ Windows 2000 Server | F3FMihs | None* |
Interstage Application Server Plus for Windows [*a] | V6.0 | Windows NT4.0/ Windows 2000 Server/ Windows Server 2003 | F3FMihs | None* |
Interstage Application Server Plus for Windows [*a] | V7.0/ V7.0.1 | Windows 2000 Server/ Windows Server 2003 | F3FMihs | None* |
Interstage Application Server Plus Developer for Windows [*a] | V5.0.1 | Windows NT4.0/ Windows 2000 Server/ Windows XP | F3FMihs | None* |
Interstage Application Server Plus Developer for Windows [*a] | V6.0 | Windows NT4.0/ Windows 2000 Server/ Windows XP/ Windows Server 2003 | F3FMihs | None* |
Interstage Application Server Plus Developer for Windows [*a] | V7.0 | Windows 2000 Server/ Windows XP/ Windows Server 2003 | F3FMihs | None* |
Interstage Application Server Enterprise Edition for Windows [*a] | 8.0.0 | Windows(IPF) Server 2003 | F3FMihs | None* |
Interstage Application Server Enterprise Edition for Windows [*b] | V9.0.0 | Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2 | F3FMihs | T001005IP-07 |
Interstage Application Server Enterprise Edition for Windows [*b] | V9.1.0 | Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2/ Windows(IPF) Server 2008 | F3FMihs | T002175IP-06 |
Interstage Application Server Enterprise Edition for Windows [*b] | V9.2.0 | Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2/ Windows(IPF) Server 2008 | F3FMihs | T004345IP-05 |
Interstage Application Server Standard-J Edition for Windows [*b] | V9.0.0 | Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2 | F3FMihs | T001005IP-07 |
Interstage Application Server Standard-J Edition for Windows [*b] | V9.1.0 | Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2/ Windows(IPF) Server 2008 | F3FMihs | T002175IP-06 |
Interstage Application Server Standard-J Edition for Windows [*b] | V9.2.0 | Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2/ Windows(IPF) Server 2008 | F3FMihs | T004345IP-05 |
Interstage Application Server Enterprise Edition for Windows [*b] | V9.2.0 | Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2 | F3FMihs | T004346XP-05 |
Interstage Application Server Enterprise Edition for Windows [*b] | V10.0.0 | Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2 | F3FMihs | T006037XP-02 |
Interstage Application Server Enterprise Edition for Windows [*b] | V11.0.0 | Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2/ Windows(EM64T) Small Business Server 2011/ Windows(EM64T) Server 2012 | F3FMihs | T008633XP-01 |
Interstage Application Server Standard-J Edition for Windows [*b] | V9.2.0 | Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2 | F3FMihs | T004346XP-05 |
Interstage Application Server Standard-J Edition for Windows [*b] | V10.0.0 | Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2 | F3FMihs | T006037XP-02 |
Interstage Application Server Standard-J Edition for Windows [*b] | V11.0.0 | Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2/ Windows(EM64T) Small Business Server 2011/ Windows(EM64T) Server 2012 | F3FMihs | T008633XP-01 |
Interstage Application Server Enterprise Edition [*a] | 5.0 | Solaris 7/ 8/ 9 | FJSVihs | None* |
Interstage Application Server Enterprise Edition [*a] | 5.0.1 | Solaris 7/ 8/ 9 | FJSVihs | None* |
Interstage Application Server Enterprise Edition [*a] | 6.0 | Solaris 7/ 8/ 9 | FJSVihs | None* |
Interstage Application Server Enterprise Edition [*a] | 7.0 | Solaris 8/ 9 | FJSVihs | None* |
Interstage Application Server Enterprise Edition [*a] | 7.0.1 | Solaris 8/ 9/ 10 | FJSVihs | None* |
Interstage Application Server Enterprise Edition [*a] | 8.0.0/ 8.0.2 | Solaris 9/ 10 | FJSVihs | None* |
Interstage Application Server Enterprise Edition [*b] | V9.0.0/ V9.0.0B | Solaris 9/ 10 | FJSVihs | T001004SP-09 |
Interstage Application Server Enterprise Edition [*b] | V9.1.0/ V9.1.0B | Solaris 9/ 10 | FJSVihs | T002180SP-07 |
Interstage Application Server Enterprise Edition [*b] | V9.2.0 | Solaris 9/ 10 | FJSVihs | T004343SP-05 |
Interstage Application Server Enterprise Edition [*b] | V10.0.0 | Solaris 9/ 10 | FJSVihs | T006035SP-02 |
Interstage Application Server Enterprise Edition [*b] | V11.0.0 | Solaris 10/ 11 | FJSVihs | T008627SP-01 |
Interstage Application Server Standard Edition [*a] | 5.0 | Solaris 7/ 8/ 9 | FJSVihs | None* |
Interstage Application Server Standard-J Edition [*a] | 8.0.0/ 8.0.2 | Solaris 9/ 10 | FJSVihs | None* |
Interstage Application Server Standard-J Edition [*b] | V9.0.0 | Solaris 9/ 10 | FJSVihs | T001004SP-09 |
Interstage Application Server Standard-J Edition [*b] | V9.1.0/ V9.1.0B | Solaris 9/ 10 | FJSVihs | T002180SP-07 |
Interstage Application Server Standard-J Edition [*b] | V9.2.0 | Solaris 9/ 10 | FJSVihs | T004343SP-05 |
Interstage Application Server Standard-J Edition [*b] | V10.0.0 | Solaris 9/ 10 | FJSVihs | T006035SP-02 |
Interstage Application Server Standard-J Edition [*b] | V11.0.0 | Solaris 10/ 11 | FJSVihs | T008627SP-01 |
Interstage Application Server Web-J Edition [*a] | 5.0 | Solaris 7/ 8/ 9 | FJSVihs | None* |
Interstage Application Server Plus [*a] | 7.0 | Solaris 8/ 9 | FJSVihs | None* |
Interstage Application Server Plus [*a] | 7.0.1 | Solaris 8/ 9/ 10 | FJSVihs | None* |
Interstage Application Server Enterprise Edition for Linux [*a] | V5.0 | Turbolinux 7 Server | FJSVihs | None* |
Interstage Application Server Standard Edition for Linux [*a] | V5.0 | Turbolinux 7 Server | FJSVihs | None* |
Interstage Application Server Web-J Edition for Linux [*a] | V5.0 | Turbolinux 7 Server | FJSVihs | None* |
Interstage Application Server Enterprise Edition for Linux [*a] | V6.0 | RHEL-AS3(x86)/ ES3(x86) | FJSVihs | None* |
Interstage Application Server Enterprise Edition for Linux [*a] | V7.0 | RHEL-AS3(x86)/ ES3(x86) | FJSVihs | None* |
Interstage Application Server Plus for Linux [*a] | V7.0 | RHEL-AS3(x86)/ ES3(x86) | FJSVihs | None* |
Interstage Application Server Enterprise Edition for Linux [*a] | V7.0.1 | RHEL-AS3(x86)/ ES3(x86)/ AS4(x86) | FJSVihs | None* |
Interstage Application Server Plus for Linux [*a] | V7.0.1 | RHEL-AS3(x86)/ ES3(x86)/ AS4(x86) | FJSVihs | None* |
Interstage Application Server Enterprise Edition for Linux [*a] | 8.0.0/ 8.0.2 | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | None* |
Interstage Application Server Enterprise Edition for Linux [*b] | V9.0.0 | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | T001003LP-07 |
Interstage Application Server Enterprise Edition for Linux [*b] | V9.1.0/ V9.1.0B | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | T002176LP-06 |
Interstage Application Server Enterprise Edition for Linux [*b] | V9.2.0/ V9.3.1 | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | T004338LP-05 |
Interstage Application Server Standard-J Edition for Linux [*a] | 8.0.0/ 8.0.2 | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | None* |
Interstage Application Server Standard-J Edition for Linux [*b] | V9.0.0 | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | T001003LP-07 |
Interstage Application Server Standard-J Edition for Linux [*b] | V9.1.0/ V9.1.0B | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | T002176LP-06 |
Interstage Application Server Standard-J Edition for Linux [*b] | V9.2.0/ V9.3.1 | RHEL-AS4(x86)/ AS4(EM64T) | FJSVihs | T004338LP-05 |
Interstage Application Server Enterprise Edition for Linux [*b] | V9.0.0 | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | T001044LP-07 |
Interstage Application Server Enterprise Edition for Linux [*b] | V9.1.0/ V9.1.0B | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | T002177LP-06 |
Interstage Application Server Enterprise Edition for Linux [*b] | V9.2.0/ V9.3.1 | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | T004339LP-05 |
Interstage Application Server Enterprise Edition for Linux [*b] | V10.0.0 | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | T006038LP-02 |
Interstage Application Server Enterprise Edition for Linux [*b] | V11.0.0 | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | T008628LP-01 |
Interstage Application Server Standard-J Edition for Linux [*b] | V9.0.0 | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | T001044LP-07 |
Interstage Application Server Standard-J Edition for Linux [*b] | V9.1.0/ V9.1.0B | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | T002177LP-06 |
Interstage Application Server Standard-J Edition for Linux [*b] | V9.2.0/ V9.3.1 | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | T004339LP-05 |
Interstage Application Server Standard-J Edition for Linux [*b] | V10.0.0 | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | T006038LP-02 |
Interstage Application Server Standard-J Edition for Linux [*b] | V11.0.0 | RHEL5(x86)/ RHEL5(Intel64) | FJSVihs | T008628LP-01 |
Interstage Application Server Enterprise Edition for Linux [*b] | V9.3.1 | RHEL6(x86)/ RHEL6(Intel64) | FJSVihs | T006033LP-02 |
Interstage Application Server Enterprise Edition for Linux [*b] | V10.0.0 | RHEL6(x86)/ RHEL6(Intel64) | FJSVihs | T006039LP-02 |
Interstage Application Server Enterprise Edition for Linux [*b] | V11.0.0 | RHEL6(x86)/ RHEL6(Intel64) | FJSVihs | T008629LP-01 |
Interstage Application Server Standard-J Edition for Linux [*b] | V9.3.1 | RHEL6(x86)/ RHEL6(Intel64) | FJSVihs | T006033LP-02 |
Interstage Application Server Standard-J Edition for Linux [*b] | V10.0.0 | RHEL6(x86)/ RHEL6(Intel64) | FJSVihs | T006039LP-02 |
Interstage Application Server Standard-J Edition for Linux [*b] | V11.0.0 | RHEL6(x86)/ RHEL6(Intel64) | FJSVihs | T008629LP-01 |
Interstage Application Server Enterprise Edition for Linux [*a] | V7.0 | RHEL-AS4(IPF) | FJSVihs | None* |
Interstage Application Server Enterprise Edition for Linux [*a] | 8.0.0/ 8.0.1/ 8.0.2 | RHEL-AS4(IPF) | FJSVihs | None* |
Interstage Application Server Enterprise Edition for Linux [*b] | V9.0.0/ V9.0.0A | RHEL-AS4(IPF) | FJSVihs | T001002QP-08 |
Interstage Application Server Enterprise Edition for Linux [*b] | V9.1.0 | RHEL-AS4(IPF) | FJSVihs | T002178QP-06 |
Interstage Application Server Enterprise Edition for Linux [*b] | V9.2.0 | RHEL-AS4(IPF) | FJSVihs | T004340QP-05 |
Interstage Application Server Standard-J Edition for Linux [*b] | V9.0.0 | RHEL-AS4(IPF) | FJSVihs | T001002QP-08 |
Interstage Application Server Standard-J Edition for Linux [*b] | V9.1.0 | RHEL-AS4(IPF) | FJSVihs | T002178QP-06 |
Interstage Application Server Standard-J Edition for Linux [*b] | V9.2.0 | RHEL-AS4(IPF) | FJSVihs | T004340QP-05 |
Interstage Application Server Enterprise Edition for Linux [*b] | V9.0.0/ V9.0.0A | RHEL5(IPF) | FJSVihs | T001043QP-08 |
Interstage Application Server Enterprise Edition for Linux [*b] | V9.1.0 | RHEL5(IPF) | FJSVihs | T002179QP-06 |
Interstage Application Server Enterprise Edition for Linux [*b] | V9.2.0 | RHEL5(IPF) | FJSVihs | T004341QP-05 |
Interstage Application Server Standard-J Edition for Linux [*b] | V9.0.0 | RHEL5(IPF) | FJSVihs | T001043QP-08 |
Interstage Application Server Standard-J Edition for Linux [*b] | V9.1.0 | RHEL5(IPF) | FJSVihs | T002179QP-06 |
Interstage Application Server Standard-J Edition for Linux [*b] | V9.2.0 | RHEL5(IPF) | FJSVihs | T004341QP-05 |
Interstage Application Server Enterprise Edition for Linux [*b] | V9.2.0/ V9.3.1 | RHEL5(Intel64) | FJSVihs | T004342LP-05 |
Interstage Application Server Enterprise Edition for Linux [*b] | V10.0.0 | RHEL5(Intel64) | FJSVihs | T006040LP-02 |
Interstage Application Server Enterprise Edition for Linux [*b] | V11.0.0 | RHEL5(Intel64) | FJSVihs | T008630LP-01 |
Interstage Application Server Standard-J Edition for Linux [*b] | V9.2.0/ V9.3.1 | RHEL5(Intel64) | FJSVihs | T004342LP-05 |
Interstage Application Server Standard-J Edition for Linux [*b] | V10.0.0 | RHEL5(Intel64) | FJSVihs | T006040LP-02 |
Interstage Application Server Standard-J Edition for Linux [*b] | V11.0.0 | RHEL5(Intel64) | FJSVihs | T008630LP-01 |
Interstage Application Server Enterprise Edition for Linux [*b] | V9.3.1 | RHEL6(Intel64) | FJSVihs | T006034LP-02 |
Interstage Application Server Enterprise Edition for Linux [*b] | V10.0.0 | RHEL6(Intel64) | FJSVihs | T006041LP-02 |
Interstage Application Server Enterprise Edition for Linux [*b] | V11.0.0 | RHEL6(Intel64) | FJSVihs | T008631LP-01 |
Interstage Application Server Standard-J Edition for Linux [*b] | V9.3.1 | RHEL6(Intel64) | FJSVihs | T006034LP-02 |
Interstage Application Server Standard-J Edition for Linux [*b] | V10.0.0 | RHEL6(Intel64) | FJSVihs | T006041LP-02 |
Interstage Application Server Standard-J Edition for Linux [*b] | V11.0.0 | RHEL6(Intel64) | FJSVihs | T008631LP-01 |
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Interstage Studio Enterprise Edition for Windows [*a] | 8.0.1 | Windows 2000 Server/ Windows XP/ Windows Server 2003 | F3FMihs | None* |
Interstage Studio Enterprise Edition for Windows [*b] | V9.0.0 | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows XP/ Windows Vista | F3FMihs | T001001WP-09 |
Interstage Studio Enterprise Edition for Windows [*b] | V9.1.0/ V9.1.0B | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows XP/ Windows Vista | F3FMihs | T002174WP-06 |
Interstage Studio Enterprise Edition for Windows [*b] | V9.2.0 | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows XP/ Windows Vista/ Windows 7 | F3FMihs | T004344WP-05 |
Interstage Studio Standard-J Edition for Windows [*a] | 8.0.1 | Windows 2000 Server/ Windows XP/ Windows Server 2003 | F3FMihs | None* |
Interstage Studio Standard-J Edition for Windows [*b] | V9.0.0 | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows XP/ Windows Vista | F3FMihs | T001001WP-09 |
Interstage Studio Standard-J Edition for Windows [*b] | V9.1.0/ V9.1.0B | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows XP/ Windows Vista | F3FMihs | T002174WP-06 |
Interstage Studio Standard-J Edition for Windows [*b] | V9.2.0 | Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows XP/ Windows Vista/ Windows 7 | F3FMihs | T004344WP-05 |
Interstage Studio Standard-J Edition for Windows [*b] | V10.0.0 | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows XP/ Windows Vista/ Windows 7 | F3FMihs | T006036WP-02 |
Interstage Studio Standard-J Edition for Windows [*b] | V11.0.0 | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows XP/ Windows Vista/ Windows 7/ Windows Small Business Server 2011/ Windows Server 2012/ Windows 8 | F3FMihs | T008632WP-01 |
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Interstage Business Application Server Enterprise Edition for Linux [*a] | 8.0.0 | RHEL-AS4(IPF) | FJSVihs | None* |
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Interstage Job Workload Server for Linux [*a] | 8.1.0 | RHEL-AS4(IPF) | FJSVihs | None* |
For the solution, please refer to the following "3-3. Workaround".
The "3-3 Workaround" depends on the product. Refer to the letter in the square brackets at the end of the product name for details.
Note: Determining the affected product
To check the software version, refer to the "FUJITSU SOFTWARE RELEASE GUIDE" supplied with the product.
3-3. Workaround
Avoid the problem by editing the environment definition file (httpd.conf) with the following method and setting the error message of the status code 400 to a text message. After editing the file, Interstage HTTP Server must be restarted.
- For [*a] products:
Specify the text message after double quotation marks (").
Specification example: ErrorDocument 400 "400 Bad Request - For [*b] products:
Enclose the text message in double quotation marks (").
Specification example: ErrorDocument 400 "400 Bad Request"
4. Related information
- CVE-2012-0053
protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0053
5. Revision history
- November 26th, 2013: 2nd release
- Change the Patch ID in "3-2. Affected products and required patch".
- Add some products to "3-2. Affected products and required patch".
- October 9th, 2012: Initial release