GTM-MQNC2Z4
Skip to main content
  1. Home >
  2. Support >
  3. Products >
  4. Software >
  5. Security >
  6. Fujitsu Patch & TA Information >
  7. Interstage HTTP Server/ Interstage HTTP Server 2.2: Security Vulnerabilities(CVE-2011-3607/ CVE-2012-3499/ CVE-2012-2687/ CVE-2013-1862). March 19th, 2015

Interstage HTTP Server/ Interstage HTTP Server 2.2: Security Vulnerabilities(CVE-2011-3607/ CVE-2012-3499/ CVE-2012-2687/ CVE-2013-1862). March 19th, 2015


Notes on using this web page

1. Description

  1. A Denial of Service (DoS) vulnerability has been confirmed when the Interstage HTTP Server mod_setenvif module is used.
    This vulnerability is reported as "CVE-2011-3607".
  2. A cross-site scripting (XSS) vulnerability has been confirmed if one of the Interstage HTTP Server modules (mod_imap, mod_info, or mod_status) is used in HTTP response data generation processing.
    This vulnerability is reported as "CVE-2012-3499".
  3. A cross-site scripting (XSS) vulnerability has been confirmed if the Interstage HTTP Server mod_negotiation module is used in status code 406 error page generation processing.
    This vulnerability is reported as "CVE-2012-2687".
  4. A vulnerability where arbitrary commands are executed has been confirmed if the Interstage HTTP Server or Interstage HTTP Server 2.2 mod_rewrite module is used.
    This vulnerability is reported as "CVE-2013-1862".

    Unless the following conditions apply, however, Interstage HTTP Server is not affected by this vulnerability problem.
    1. "On" was specified for the RewriteEngine directive in the environment definition file (httpd.conf), and
    2. The RewriteLog directive was configured in the environment definition file (httpd.conf), and
    3. A value of 1 or greater was specified for the RewriteLogLevel directive in the environment definition file (httpd.conf).

The security patches shown in 3-2. are provided, and Fujitsu requests that these be applied promptly.
For products for which no security patch is provided, use the workaround shown in 3-3.

2. Impact

  1. A modified request sent by a remote attacker may cause the Interstage HTTP Server process to crash, resulting in Denial of Service (DoS).
  2. By creating a page that exploits the XSS vulnerability of a website (targeted site) operated by Interstage HTTP Server, a malicious user can execute any code on the computer of a user (victim) who accesses this page.
    Additionally, if the victim has set the targeted site as a trusted site, this code may be executed as code of the trusted site.
    Potentially harmful code includes the following:
    • Reading user input
    • Reading/overwriting cookies
    • Forwarding information to a third party
  3. Same as "b".
  4. By displaying the rewrite log file created based on the modified request sent by the remote attacker on a terminal that has vulnerability related to the escape sequence, any command may be executed using the privileges of that user.

3. Affected systems and corresponding action

3-1. Affected systems:

GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, AT-compatible machine, PRIMEQUEST, SPARC Enterprise, SPARC M10

3-2. Affected products and required patch

Interstage Application Server
Products Version Target OS Package name Patch ID.
Interstage Application Server Enterprise Edition for Windows [*b *c1 *d] V5.0 Windows NT4.0/ Windows 2000 Server F3FMihs None *
Interstage Application Server Enterprise Edition for Windows [*b *c1 *d] V6.0 Windows NT4.0/ Windows 2000 Server/ Windows Server 2003 F3FMihs None *
Interstage Application Server Enterprise Edition for Windows [*b *c1 *d] V7.0/ V7.0.1 Windows 2000 Server/ Windows Server 2003 F3FMihs None *
Interstage Application Server Enterprise Edition for Windows [*b *c1 *d] 8.0.0/ 8.0.1/ 8.0.2 Windows 2000 Server/ Windows Server 2003 F3FMihs None *
Interstage Application Server Enterprise Edition for Windows [*a *b *c2 *d] V9.0.0/ V9.0.0A Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2 F3FMihs T001001WP-09
Interstage Application Server Enterprise Edition for Windows [*a *b *c2 *d] V9.1.0/ V9.1.0B Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008 F3FMihs T002174WP-06
Interstage Application Server Enterprise Edition for Windows [*a *b *c2 *d] V9.2.0 Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 F3FMihs T004344WP-05
Interstage Application Server Enterprise Edition for Windows [*a *b *c2 *d] V10.0.0 Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 F3FMihs T006036WP-02
Interstage Application Server Enterprise Edition for Windows [*a *b *c2 *d] V11.0.0 Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows Small Business Server 2011/ Windows Server 2012/ Windows Server 2012 R2 F3FMihs T008632WP-01
Interstage Application Server Enterprise Edition for Windows [*d] V11.1.0 Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows Small Business Server 2011/ Windows Server 2012/ Windows Server 2012 R2 F3FMihs T009137WP-01
Interstage Application Server Enterprise Edition for Windows [*d] V11.1.0 Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows Small Business Server 2011/ Windows Server 2012/ Windows Server 2012 R2 F3FMahs T009371WP-03
Interstage Application Server Standard Edition for Windows [*b *c1 *d] V5.0 Windows NT4.0/ Windows 2000 Server F3FMihs None *
Interstage Application Server Standard-J Edition for Windows [*b *c1 *d] 8.0.0/ 8.0.1/ 8.0.2 Windows 2000 Server/ Windows Server 2003 F3FMihs None *
Interstage Application Server Standard-J Edition for Windows [*a *b *c2 *d] V9.0.0/ V9.0.0A/ V9.0.0B Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2 F3FMihs T001001WP-09
Interstage Application Server Standard-J Edition for Windows [*a *b *c2 *d] V9.1.0/ V9.1.0B Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008 F3FMihs T002174WP-06
Interstage Application Server Standard-J Edition for Windows [*a *b *c2 *d] V9.2.0 Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 F3FMihs T004344WP-05
Interstage Application Server Standard-J Edition for Windows [*a *b *c2 *d] V10.0.0 Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 F3FMihs T006036WP-02
Interstage Application Server Standard-J Edition for Windows [*a *b *c2 *d] V11.0.0 Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows Small Business Server 2011/ Windows Server 2012/ Windows Server 2012 R2 F3FMihs T008632WP-01
Interstage Application Server Standard-J Edition for Windows [*d] V11.1.0 Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows Small Business Server 2011/ Windows Server 2012/ Windows Server 2012 R2 F3FMihs T009137WP-01
Interstage Application Server Standard-J Edition for Windows [*d] V11.1.0 Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows Small Business Server 2011/ Windows Server 2012/ Windows Server 2012 R2 F3FMahs T009371WP-03
Interstage Application Server Web-J Edition for Windows [*b *c1 *d] V5.0 Windows NT4.0/ Windows 2000 Server F3FMihs None *
Interstage Application Server Plus for Windows [*b *c1 *d] V5.0.1 Windows NT4.0/ Windows 2000 Server F3FMihs None *
Interstage Application Server Plus for Windows [*b *c1 *d] V6.0 Windows NT4.0/ Windows 2000 Server/ Windows Server 2003 F3FMihs None *
Interstage Application Server Plus for Windows [*b *c1 *d] V7.0/ V7.0.1 Windows 2000 Server/ Windows Server 2003 F3FMihs None *
Interstage Application Server Plus Developer for Windows [*b *c1 *d] V5.0.1 Windows NT4.0/ Windows 2000 Server/ Windows XP F3FMihs None *
Interstage Application Server Plus Developer for Windows [*b *c1 *d] V6.0 Windows NT4.0/ Windows 2000 Server/ Windows XP/ Windows Server 2003 F3FMihs None *
Interstage Application Server Plus Developer for Windows [*b *c1 *d] V7.0 Windows 2000 Server/ Windows XP/ Windows Server 2003 F3FMihs None *
Interstage Application Server Enterprise Edition for Windows [*b *c1 *d] 8.0.0 Windows(IPF) Server 2003 F3FMihs None *
Interstage Application Server Enterprise Edition for Windows [*a *b *c2 *d] V9.0.0 Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2 F3FMihs T001005IP-07
Interstage Application Server Enterprise Edition for Windows [*a *b *c2 *d] V9.1.0 Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2/ Windows(IPF) Server 2008 F3FMihs T002175IP-06
Interstage Application Server Enterprise Edition for Windows [*a *b *c2 *d] V9.2.0 Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2/ Windows(IPF) Server 2008 F3FMihs T004345IP-05
Interstage Application Server Standard-J Edition for Windows [*a *b *c2 *d] V9.0.0 Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2 F3FMihs T001005IP-07
Interstage Application Server Standard-J Edition for Windows [*a *b *c2 *d] V9.1.0 Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2/ Windows(IPF) Server 2008 F3FMihs T002175IP-06
Interstage Application Server Standard-J Edition for Windows [*a *b *c2 *d] V9.2.0 Windows(IPF) Server 2003/ Windows(IPF) Server 2003 R2/ Windows(IPF) Server 2008 F3FMihs T004345IP-05
Interstage Application Server Enterprise Edition for Windows [*a *b *c2 *d] V9.2.0 Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2 F3FMihs T004346XP-05
Interstage Application Server Enterprise Edition for Windows [*a *b *c2 *d] V10.0.0 Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2 F3FMihs T006037XP-02
Interstage Application Server Enterprise Edition for Windows [*a *b *c2 *d] V11.0.0 Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2/ Windows(EM64T) Small Business Server 2011/ Windows(EM64T) Server 2012/ Windows(EM64T) Server 2012 R2 F3FMihs T008633XP-01
Interstage Application Server Enterprise Edition for Windows [*d] V11.1.0 Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2/ Windows(EM64T) Small Business Server 2011/ Windows(EM64T) Server 2012/ Windows(EM64T) Server 2012 R2 F3FMihs Pending *
Interstage Application Server Enterprise Edition for Windows [*d] V11.1.0 Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2/ Windows(EM64T) Small Business Server 2011/ Windows(EM64T) Server 2012/ Windows(EM64T) Server 2012 R2 F3FMahs T010823XP-01
Interstage Application Server Standard-J Edition for Windows [*a *b *c2 *d] V9.2.0 Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2 F3FMihs T004346XP-05
Interstage Application Server Standard-J Edition for Windows [*a *b *c2 *d] V10.0.0 Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2 F3FMihs T006037XP-02
Interstage Application Server Standard-J Edition for Windows [*a *b *c2 *d] V11.0.0 Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2/ Windows(EM64T) Small Business Server 2011/ Windows(EM64T) Server 2012/ Windows(EM64T) Server 2012 R2 F3FMihs T008633XP-01
Interstage Application Server Standard-J Edition for Windows [*d] V11.1.0 Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2/ Windows(EM64T) Small Business Server 2011/ Windows(EM64T) Server 2012/ Windows(EM64T) Server 2012 R2 F3FMihs Pending *
Interstage Application Server Standard-J Edition for Windows [*d] V11.1.0 Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows(EM64T) Server 2008 R2/ Windows(EM64T) Small Business Server 2011/ Windows(EM64T) Server 2012/ Windows(EM64T) Server 2012 R2 F3FMahs T010823XP-01
Interstage Application Server Enterprise Edition [*b *c1 *d] 5.0 Solaris 7/ 8/ 9 FJSVihs None *
Interstage Application Server Enterprise Edition [*b *c1 *d] 5.0.1 Solaris 7/ 8/ 9 FJSVihs None *
Interstage Application Server Enterprise Edition [*b *c1 *d] 6.0 Solaris 7/ 8/ 9 FJSVihs None *
Interstage Application Server Enterprise Edition [*b *c1 *d] 7.0 Solaris 8/ 9 FJSVihs None *
Interstage Application Server Enterprise Edition [*b *c1 *d] 7.0.1 Solaris 8/ 9/ 10 FJSVihs None *
Interstage Application Server Enterprise Edition [*b *c1 *d] 8.0.0/ 8.0.2 Solaris 9/ 10 FJSVihs None *
Interstage Application Server Enterprise Edition [*b *c2 *d] V9.0.0/ V9.0.0B Solaris 9/ 10 FJSVihs T001004SP-09
Interstage Application Server Enterprise Edition [*b *c2 *d] V9.1.0/ V9.1.0B Solaris 9/ 10 FJSVihs T002180SP-07
Interstage Application Server Enterprise Edition [*b *c2 *d] V9.2.0 Solaris 9/ 10 FJSVihs T004343SP-05
Interstage Application Server Enterprise Edition [*b *c2 *d] V10.0.0 Solaris 9/ 10 FJSVihs T006035SP-02
Interstage Application Server Enterprise Edition [*b *c2 *d] V11.0.0 Solaris 10/ 11 FJSVihs T008627SP-01
Interstage Application Server Enterprise Edition [*d] V11.1.0 Solaris 10/ 11 FJSVihs T009138SP-01
Interstage Application Server Enterprise Edition [*d] V11.1.0 Solaris 10/ 11 FJSVahs T010824SP-01
Interstage Application Server Standard Edition [*b *c1 *d] 5.0 Solaris 7/ 8/ 9 FJSVihs None *
Interstage Application Server Standard-J Edition [*b *c1 *d] 8.0.0/ 8.0.2 Solaris 9/ 10 FJSVihs None *
Interstage Application Server Standard-J Edition [*b *c2 *d] V9.0.0 Solaris 9/ 10 FJSVihs T001004SP-09
Interstage Application Server Standard-J Edition [*b *c2 *d] V9.1.0/ V9.1.0B Solaris 9/ 10 FJSVihs T002180SP-07
Interstage Application Server Standard-J Edition [*b *c2 *d] V9.2.0 Solaris 9/ 10 FJSVihs T004343SP-05
Interstage Application Server Standard-J Edition [*b *c2 *d] V10.0.0 Solaris 9/ 10 FJSVihs T006035SP-02
Interstage Application Server Standard-J Edition [*b *c2 *d] V11.0.0 Solaris 10/ 11 FJSVihs T008627SP-01
Interstage Application Server Standard-J Edition [*d] V11.1.0 Solaris 10/ 11 FJSVihs T009138SP-01
Interstage Application Server Standard-J Edition [*d] V11.1.0 Solaris 10/ 11 FJSVahs T010824SP-01
Interstage Application Server Web-J Edition [*b *c1 *d] 5.0 Solaris 7/ 8/ 9 FJSVihs None *
Interstage Application Server Plus [*b *c1 *d] 7.0 Solaris 8/ 9 FJSVihs None *
Interstage Application Server Plus [*b *c1 *d] 7.0.1 Solaris 8/ 9/ 10 FJSVihs None *
Interstage Application Server Enterprise Edition for Linux [*b *c1 *d] V5.0 Turbolinux 7 Server FJSVihs None *
Interstage Application Server Standard Edition for Linux [*b *c1 *d] V5.0 Turbolinux 7 Server FJSVihs None *
Interstage Application Server Web-J Edition for Linux [*b *c1 *d] V5.0 Turbolinux 7 Server FJSVihs None *
Interstage Application Server Enterprise Edition for Linux [*b *c1 *d] V6.0 RHEL-AS3(x86)/ ES3(x86) FJSVihs None *
Interstage Application Server Enterprise Edition for Linux [*b *c1 *d] V7.0 RHEL-AS3(x86)/ ES3(x86) FJSVihs None *
Interstage Application Server Plus for Linux [*b *c1 *d] V7.0 RHEL-AS3(x86)/ ES3(x86) FJSVihs None *
Interstage Application Server Enterprise Edition for Linux [*b *c1 *d] V7.0.1 RHEL-AS3(x86)/ ES3(x86)/ AS4(x86) FJSVihs None *
Interstage Application Server Plus for Linux [*b *c1 *d] V7.0.1 RHEL-AS3(x86)/ ES3(x86)/ AS4(x86) FJSVihs None *
Interstage Application Server Enterprise Edition for Linux [*b *c1 *d] 8.0.0/ 8.0.2 RHEL-AS4(x86)/ AS4(EM64T) FJSVihs None *
Interstage Application Server Enterprise Edition for Linux [*b *c2 *d] V9.0.0 RHEL-AS4(x86)/ AS4(EM64T) FJSVihs T001003LP-07
Interstage Application Server Enterprise Edition for Linux [*b *c2 *d] V9.1.0/ V9.1.0B RHEL-AS4(x86)/ AS4(EM64T) FJSVihs T002176LP-06
Interstage Application Server Enterprise Edition for Linux [*b *c2 *d] V9.2.0/ V9.3.1 RHEL-AS4(x86)/ AS4(EM64T) FJSVihs T004338LP-05
Interstage Application Server Standard-J Edition for Linux [*b *c1 *d] 8.0.0/ 8.0.2 RHEL-AS4(x86)/ AS4(EM64T) FJSVihs None *
Interstage Application Server Standard-J Edition for Linux [*b *c2 *d] V9.0.0 RHEL-AS4(x86)/ AS4(EM64T) FJSVihs T001003LP-07
Interstage Application Server Standard-J Edition for Linux [*b *c2 *d] V9.1.0/ V9.1.0B RHEL-AS4(x86)/ AS4(EM64T) FJSVihs T002176LP-06
Interstage Application Server Standard-J Edition for Linux [*b *c2 *d] V9.2.0/ V9.3.1 RHEL-AS4(x86)/ AS4(EM64T) FJSVihs T004338LP-05
Interstage Application Server Enterprise Edition for Linux [*b *c2 *d] V9.0.0 RHEL5(x86)/ RHEL5(Intel64) FJSVihs T001044LP-07
Interstage Application Server Enterprise Edition for Linux [*b *c2 *d] V9.1.0/ V9.1.0B RHEL5(x86)/ RHEL5(Intel64) FJSVihs T002177LP-06
Interstage Application Server Enterprise Edition for Linux [*b *c2 *d] V9.2.0/ V9.3.1 RHEL5(x86)/ RHEL5(Intel64) FJSVihs T004339LP-05
Interstage Application Server Enterprise Edition for Linux [*b *c2 *d] V10.0.0 RHEL5(x86)/ RHEL5(Intel64) FJSVihs T006038LP-02
Interstage Application Server Enterprise Edition for Linux [*b *c2 *d] V11.0.0 RHEL5(x86)/ RHEL5(Intel64) FJSVihs T008628LP-01
Interstage Application Server Enterprise Edition for Linux [*d] V11.1.0 RHEL5(x86)/ RHEL5(Intel64) FJSVihs T009139LP-01
Interstage Application Server Enterprise Edition for Linux [*d] V11.1.0 RHEL5(x86)/ RHEL5(Intel64) FJSVahs T009143LP-01
Interstage Application Server Standard-J Edition for Linux [*b *c2 *d] V9.0.0 RHEL5(x86)/ RHEL5(Intel64) FJSVihs T001044LP-07
Interstage Application Server Standard-J Edition for Linux [*b *c2 *d] V9.1.0/ V9.1.0B RHEL5(x86)/ RHEL5(Intel64) FJSVihs T002177LP-06
Interstage Application Server Standard-J Edition for Linux [*b *c2 *d] V9.2.0/ V9.3.1 RHEL5(x86)/ RHEL5(Intel64) FJSVihs T004339LP-05
Interstage Application Server Standard-J Edition for Linux [*b *c2 *d] V10.0.0 RHEL5(x86)/ RHEL5(Intel64) FJSVihs T006038LP-02
Interstage Application Server Standard-J Edition for Linux [*b *c2 *d] V11.0.0 RHEL5(x86)/ RHEL5(Intel64) FJSVihs T008628LP-01
Interstage Application Server Standard-J Edition for Linux [*d] V11.1.0 RHEL5(x86)/ RHEL5(Intel64) FJSVihs T009139LP-01
Interstage Application Server Standard-J Edition for Linux [*d] V11.1.0 RHEL5(x86)/ RHEL5(Intel64) FJSVahs T009143LP-01
Interstage Application Server Enterprise Edition for Linux [*b *c2 *d] V9.3.1 RHEL6(x86)/ RHEL6(Intel64) FJSVihs T006033LP-02
Interstage Application Server Enterprise Edition for Linux [*b *c2 *d] V10.0.0 RHEL6(x86)/ RHEL6(Intel64) FJSVihs T006039LP-02
Interstage Application Server Enterprise Edition for Linux [*b *c2 *d] V11.0.0 RHEL6(x86)/ RHEL6(Intel64) FJSVihs T008629LP-01
Interstage Application Server Enterprise Edition for Linux [*d] V11.1.0 RHEL6(x86)/ RHEL6(Intel64) FJSVihs T009140LP-01
Interstage Application Server Enterprise Edition for Linux [*d] V11.1.0 RHEL6(x86)/ RHEL6(Intel64) FJSVahs T009144LP-01
Interstage Application Server Standard-J Edition for Linux [*b *c2 *d] V9.3.1 RHEL6(x86)/ RHEL6(Intel64) FJSVihs T006033LP-02
Interstage Application Server Standard-J Edition for Linux [*b *c2 *d] V10.0.0 RHEL6(x86)/ RHEL6(Intel64) FJSVihs T006039LP-02
Interstage Application Server Standard-J Edition for Linux [*b *c2 *d] V11.0.0 RHEL6(x86)/ RHEL6(Intel64) FJSVihs T008629LP-01
Interstage Application Server Standard-J Edition for Linux [*d] V11.1.0 RHEL6(x86)/ RHEL6(Intel64) FJSVihs T009140LP-01
Interstage Application Server Standard-J Edition for Linux [*d] V11.1.0 RHEL6(x86)/ RHEL6(Intel64) FJSVahs T009144LP-01
Interstage Application Server Enterprise Edition for Linux [*b *c1 *d] V7.0 RHEL-AS4(IPF) FJSVihs None *
Interstage Application Server Enterprise Edition for Linux [*b *c1 *d] 8.0.0/ 8.0.1/ 8.0.2 RHEL-AS4(IPF) FJSVihs None *
Interstage Application Server Enterprise Edition for Linux [*b *c2 *d] V9.0.0/ V9.0.0A RHEL-AS4(IPF) FJSVihs T001002QP-08
Interstage Application Server Enterprise Edition for Linux [*b *c2 *d] V9.1.0 RHEL-AS4(IPF) FJSVihs T002178QP-06
Interstage Application Server Enterprise Edition for Linux [*b *c2 *d] V9.2.0 RHEL-AS4(IPF) FJSVihs T004340QP-05
Interstage Application Server Standard-J Edition for Linux [*b *c2 *d] V9.0.0 RHEL-AS4(IPF) FJSVihs T001002QP-08
Interstage Application Server Standard-J Edition for Linux [*b *c2 *d] V9.1.0 RHEL-AS4(IPF) FJSVihs T002178QP-06
Interstage Application Server Standard-J Edition for Linux [*b *c2 *d] V9.2.0 RHEL-AS4(IPF) FJSVihs T004340QP-05
Interstage Application Server Enterprise Edition for Linux [*b *c2 *d] V9.0.0/ V9.0.0A RHEL5(IPF) FJSVihs T001043QP-08
Interstage Application Server Enterprise Edition for Linux [*b *c2 *d] V9.1.0 RHEL5(IPF) FJSVihs T002179QP-06
Interstage Application Server Enterprise Edition for Linux [*b *c2 *d] V9.2.0 RHEL5(IPF) FJSVihs T004341QP-05
Interstage Application Server Standard-J Edition for Linux [*b *c2 *d] V9.0.0 RHEL5(IPF) FJSVihs T001043QP-08
Interstage Application Server Standard-J Edition for Linux [*b *c2 *d] V9.1.0 RHEL5(IPF) FJSVihs T002179QP-06
Interstage Application Server Standard-J Edition for Linux [*b *c2 *d] V9.2.0 RHEL5(IPF) FJSVihs T004341QP-05
Interstage Application Server Enterprise Edition for Linux [*b *c2 *d] V9.2.0/ V9.3.1 RHEL5(Intel64) FJSVihs T004342LP-05
Interstage Application Server Enterprise Edition for Linux [*b *c2 *d] V10.0.0 RHEL5(Intel64) FJSVihs T006040LP-02
Interstage Application Server Enterprise Edition for Linux [*b *c2 *d] V11.0.0 RHEL5(Intel64) FJSVihs T008630LP-01
Interstage Application Server Enterprise Edition for Linux [*d] V11.1.0 RHEL5(Intel64) FJSVihs T009141LP-01
Interstage Application Server Enterprise Edition for Linux [*d] V11.1.0 RHEL5(Intel64) FJSVahs T009145LP-01
Interstage Application Server Standard-J Edition for Linux [*b *c2 *d] V9.2.0/ V9.3.1 RHEL5(Intel64) FJSVihs T004342LP-05
Interstage Application Server Standard-J Edition for Linux [*b *c2 *d] V10.0.0 RHEL5(Intel64) FJSVihs T006040LP-02
Interstage Application Server Standard-J Edition for Linux [*b *c2 *d] V11.0.0 RHEL5(Intel64) FJSVihs T008630LP-01
Interstage Application Server Standard-J Edition for Linux [*d] V11.1.0 RHEL5(Intel64) FJSVihs T009141LP-01
Interstage Application Server Standard-J Edition for Linux [*d] V11.1.0 RHEL5(Intel64) FJSVahs T009145LP-01
Interstage Application Server Enterprise Edition for Linux [*b *c2 *d] V9.3.1 RHEL6(Intel64) FJSVihs T006034LP-02
Interstage Application Server Enterprise Edition for Linux [*b *c2 *d] V10.0.0 RHEL6(Intel64) FJSVihs T006041LP-02
Interstage Application Server Enterprise Edition for Linux [*b *c2 *d] V11.0.0 RHEL6(Intel64) FJSVihs T008631LP-01
Interstage Application Server Enterprise Edition for Linux [*d] V11.1.0 RHEL6(Intel64) FJSVihs T009142LP-01
Interstage Application Server Enterprise Edition for Linux [*d] V11.1.0 RHEL6(Intel64) FJSVahs T009146LP-01
Interstage Application Server Standard-J Edition for Linux [*b *c2 *d] V9.3.1 RHEL6(Intel64) FJSVihs T006034LP-02
Interstage Application Server Standard-J Edition for Linux [*b *c2 *d] V10.0.0 RHEL6(Intel64) FJSVihs T006041LP-02
Interstage Application Server Standard-J Edition for Linux [*b *c2 *d] V11.0.0 RHEL6(Intel64) FJSVihs T008631LP-01
Interstage Application Server Standard-J Edition for Linux [*d] V11.1.0 RHEL6(Intel64) FJSVihs T009142LP-01
Interstage Application Server Standard-J Edition for Linux [*d] V11.1.0 RHEL6(Intel64) FJSVahs T009146LP-01
Interstage Apworks
Products Version Target OS Package name Patch ID.
Interstage Apworks Modelers-J Edition for Windows [*b *c1 *d] V6.0/ V6.0A Windows 2000 Server/ Windows XP F3FMihs None *
Interstage Apworks Modelers-J Edition for Windows [*b *c1 *d] V7.0 Windows 2000 Server/ Windows XP F3FMihs None *
Interstage Studio
Products Version Target OS Package name Patch ID.
Interstage Studio Enterprise Edition for Windows [*b *c1 *d] 8.0.1 Windows 2000 Server/ Windows XP/ Windows Server 2003 F3FMihs None *
Interstage Studio Enterprise Edition for Windows [*a *b *c2 *d] V9.0.0 Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows XP/ Windows Vista F3FMihs T001001WP-09
Interstage Studio Enterprise Edition for Windows [*a *b *c2 *d] V9.1.0/ V9.1.0B Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows XP/ Windows Vista F3FMihs T002174WP-06
Interstage Studio Enterprise Edition for Windows [*a *b *c2 *d] V9.2.0 Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows XP/ Windows Vista/ Windows 7 F3FMihs T004344WP-05
Interstage Studio Standard-J Edition for Windows [*b *c1 *d] 8.0.1 Windows 2000 Server/ Windows XP/ Windows Server 2003 F3FMihs None *
Interstage Studio Standard-J Edition for Windows [*a *b *c2 *d] V9.0.0 Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows XP/ Windows Vista F3FMihs T001001WP-09
Interstage Studio Standard-J Edition for Windows [*a *b *c2 *d] V9.1.0/ V9.1.0B Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows XP/ Windows Vista F3FMihs T002174WP-06
Interstage Studio Standard-J Edition for Windows [*a *b *c2 *d] V9.2.0 Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows XP/ Windows Vista/ Windows 7 F3FMihs T004344WP-05
Interstage Studio Standard-J Edition for Windows [*a *b *c2 *d] V10.0.0 Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows XP/ Windows Vista/ Windows 7 F3FMihs T006036WP-02
Interstage Studio Standard-J Edition for Windows [*a *b *c2 *d] V11.0.0 Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows XP/ Windows Vista/ Windows 7/ Windows Small Business Server 2011/ Windows Server 2012/ Windows Server 2012 R2/ Windows 8/ Windows 8.1 F3FMihs T008632WP-01
Interstage Studio Standard-J Edition for Windows [*d] V11.1.0 Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows XP/ Windows Vista/ Windows 7/ Windows Small Business Server 2011/ Windows Server 2012/ Windows Server 2012 R2/ Windows 8/ Windows 8.1 F3FMihs T009137WP-01
Interstage Studio Standard-J Edition for Windows [*d] V11.1.0 Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows XP/ Windows Vista/ Windows 7/ Windows Small Business Server 2011/ Windows Server 2012/ Windows Server 2012 R2/ Windows 8/ Windows 8.1 F3FMahs T009371WP-03
Interstage Business Application Server
Products Version Target OS Package name Patch ID.
Interstage Business Application Server Enterprise Edition for Linux [*b *c1 *d] 8.0.0 RHEL-AS4(IPF) FJSVihs None *
Interstage Job Workload Server
Products Version Target OS Package name Patch ID.
Interstage Job Workload Server for Linux [*b *c1 *d] 8.1.0 RHEL-AS4(IPF) FJSVihs None *

For the solution, please refer to the following "3-3. Workaround".

[*a] Affected by CVE-2011-3607: For details, refer to a) of "3-3. Workaround" below.

[*b] Affected by CVE-2012-3499: For details, refer to b) of "3-3. Workaround" below.

[*c1][*c2] Affected by CVE-2012-2687: For details, refer to c) of "3-3. Workaround" below.

[*d] Affected by CVE-2013-1862: For details, refer to d) of "3-3. Workaround" below.



Note: Determining the affected product

To check the software version, refer to the "FUJITSU SOFTWARE RELEASE GUIDE" supplied with the product.

3-3. Workaround

  1. None.
    Apply the security patches shown in 3-2.
  2. Specify "On" for the UseCanonicalName directive, and then set the web server host name in the ServerName directive, in the environment definition file (httpd.conf).
    After editing this file, restart Interstage HTTP Server.
  3. Use one of the methods shown below to edit the environment definition file(httpd.conf), and then set the text message for the error document when status code 406 occurs.
    After editing this file, restart Interstage HTTP Server.
    • Product [*c1]
      Specify the text message after double quotation marks (").
      Example) ErrorDocument 406 "406 Not Acceptable
    • Product [*c2]
      Enclose the text message within double quotation marks (").
      Example) ErrorDocument 406 "406 Not Acceptable"
  4. When displaying the rewrite log file on the terminal, a terminal that has vulnerability related to the escape sequence should not be used.
    This vulnerability been confirmed on the following terminals:
    • Eterm (version 0.9.1 or earlier) [CAN-2003-0021/ CAN-2003-0068]
    • rxvt (2.7.8) [CAN-2003-0022/ CAN-2003-0023/ CAN-2003-0066]
    • XFree86 (versions earlier than 4.3.0) [CAN-2003-0063]
    • VTE (Red Hat Linux 8.0) [CAN-2003-0070]
    • hanterm-xt (version 2.0 or earlier) [CAN-2003-0077]

4. Related information

  1. CVE-2011-3607
    Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow.
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607
  2. CVE-2012-3499
    Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules.
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499
  3. CVE-2012-2687
    Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list.
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2687
  4. CVE-2013-1862
    mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to execute arbitrary commands via an HTTP request containing an escape sequence for a terminal emulator.
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862

5. Revision history

  • March 19th, 2015: 3rd release
    • Change the Patch ID in "3-2. Affected products and required patch".
  • March 20th, 2014: 2nd release
    • Change the Patch ID in "3-2. Affected products and required patch".
    • Change the Target OS in "3-2. Affected products and required patch".
  • November 26th, 2013: Initial release


Services & Products

Corporate Information

Country Selector

Global

Change

World Map