Interstage Application Server, Interstage Apworks, Interstage Interaction Manager, Interstage Studio: Apache Struts1 vulnerable to input validation bypass (CVE-2016-1182). June 7th, 2016
1. Description
Struts1 Validator contains a vulnerability where input value validation is bypassed.
Not all computers are exposed to the threat of the vulnerability even if the corresponding product is installed.
There is a possibility of this vulnerability affecting the computer in which the product is installed if Struts1 is enabled and used in a Web application.
In addition, there is a condition that the web application uses the following ActionForms or their subclasses in session scope.
- ValidatorForm
- ValidatorActionForm
For the Patches, please contact a Fujitsu system engineer or your partner(s).
2. Impact
This vulnerability allows a malicious user to perform a DoS attack against the Web application, register arbitrary data to the Web application, and/or execute arbitrary script on the browser.
3. Affected systems and corresponding action
3-1. Affected systems:
GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, AT compatible machine, PRIMEQUEST, SPARC Enterprise, Fujitsu M10
3-2. Affected products and required patch
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Interstage Application Server Enterprise Edition | V7.0L10 | RHEL-AS4(IPF) | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V8.0.0 | RHEL-AS4(IPF) | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V8.0.1 | RHEL-AS4(IPF) | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V8.0.2 | RHEL-AS4(IPF) | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V9.0.0 | RHEL-AS4(IPF)/ RHEL5(IPF) | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V9.0.0A | RHEL-AS4(IPF)/ RHEL5(IPF) | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V9.1.0 | RHEL-AS4(IPF)/ RHEL5(IPF) | FJSVapcst | T010235QP-02 |
Interstage Application Server Enterprise Edition | V9.2.0 | RHEL-AS4(IPF)/ RHEL5(IPF) | FJSVapcst | T010235QP-02 |
Interstage Application Server Standard-J Edition | V9.0.0 | RHEL-AS4(IPF)/ RHEL5(IPF) | FJSVapcst | Pending* |
Interstage Application Server Standard-J Edition | V9.1.0 | RHEL-AS4(IPF)/ RHEL5(IPF) | FJSVapcst | T010235QP-02 |
Interstage Application Server Standard-J Edition | V9.2.0 | RHEL-AS4(IPF)/ RHEL5(IPF) | FJSVapcst | T010235QP-02 |
Interstage Application Server Enterprise Edition | V9.2.0 | RHEL5(Intel64) | FJSVapcst | T010232LP-02 |
Interstage Application Server Enterprise Edition | V9.3.1 | RHEL5(Intel64)/ RHEL6(Intel64) | FJSVapcst | T010232LP-02 |
Interstage Application Server Enterprise Edition | V10.0.0 | RHEL5(Intel64)/ RHEL6(Intel64) | FJSVapcst | T010232LP-02 |
Interstage Application Server Enterprise Edition | V11.0.0 | RHEL5(Intel64)/ RHEL6(Intel64) | FJSVapcst | T010232LP-02 |
Interstage Application Server Standard-J Edition | V9.2.0 | RHEL5(Intel64) | FJSVapcst | T010232LP-02 |
Interstage Application Server Standard-J Edition | V9.3.1 | RHEL5(Intel64)/ RHEL6(Intel64) | FJSVapcst | T010232LP-02 |
Interstage Application Server Standard-J Edition | V10.0.0 | RHEL5(Intel64)/ RHEL6(Intel64) | FJSVapcst | T010232LP-02 |
Interstage Application Server Standard-J Edition | V11.0.0 | RHEL5(Intel64)/ RHEL6(Intel64) | FJSVapcst | T010232LP-02 |
Interstage Application Server Enterprise Edition | V6.0L10 | RHEL-AS3(x86)/ RHEL-ES3(x86) | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V7.0L10 | RHEL-AS3(x86)/ RHEL-ES3(x86) | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V7.0L11 | RHEL-AS3(x86)/ RHEL-ES3(x86)/ RHEL-AS4(x86) | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V8.0.0 | RHEL-AS4(x86)/ RHEL-AS4(EM64T) | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V8.0.2 | RHEL-AS4(x86)/ RHEL-AS4(EM64T) | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V9.0.0 | RHEL-AS4(x86)/ RHEL-AS4(EM64T)/ RHEL5(x86)/ RHEL5(Intel64) | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V9.1.0 | RHEL-AS4(x86)/ RHEL-AS4(EM64T)/ RHEL5(x86)/ RHEL5(Intel64) | FJSVapcst | T010232LP-02 |
Interstage Application Server Enterprise Edition | V9.1.0B | RHEL-AS4(x86)/ RHEL-AS4(EM64T)/ RHEL5(x86)/ RHEL5(Intel64) | FJSVapcst | T010232LP-02 |
Interstage Application Server Enterprise Edition | V9.2.0 | RHEL-AS4(x86)/ RHEL-AS4(EM64T)/ RHEL5(x86)/ RHEL5(Intel64) | FJSVapcst | T010232LP-02 |
Interstage Application Server Enterprise Edition | V9.3.1 | RHEL-AS4(x86)/ RHEL-AS4(EM64T)/ RHEL5(x86)/ RHEL5(Intel64)/ RHEL6(x86)/ RHEL6(Intel64) | FJSVapcst | T010232LP-02 |
Interstage Application Server Enterprise Edition | V10.0.0 | RHEL5(x86)/ RHEL5(Intel64)/ RHEL6(x86)/ RHEL6(Intel64) | FJSVapcst | T010232LP-02 |
Interstage Application Server Enterprise Edition | V11.0.0 | RHEL5(x86)/ RHEL5(Intel64)/ RHEL6(x86)/ RHEL6(Intel64) | FJSVapcst | T010232LP-02 |
Interstage Application Server Plus | V7.0L10 | RHEL-AS3(x86)/ RHEL-ES3(x86) | FJSVapcst | Pending* |
Interstage Application Server Plus | V7.0L11 | RHEL-AS3(x86)/ RHEL-ES3(x86)/ RHEL-AS4(x86) | FJSVapcst | Pending* |
Interstage Application Server Standard-J Edition | V8.0.0 | RHEL-AS4(x86)/ RHEL-AS4(EM64T) | FJSVapcst | Pending* |
Interstage Application Server Standard-J Edition | V8.0.2 | RHEL-AS4(x86)/ RHEL-AS4(EM64T) | FJSVapcst | Pending* |
Interstage Application Server Standard-J Edition | V9.0.0 | RHEL-AS4(x86)/ RHEL-AS4(EM64T)/ RHEL5(x86)/ RHEL5(Intel64) | FJSVapcst | Pending* |
Interstage Application Server Standard-J Edition | V9.1.0 | RHEL-AS4(x86)/ RHEL-AS4(EM64T)/ RHEL5(x86)/ RHEL5(Intel64) | FJSVapcst | T010232LP-02 |
Interstage Application Server Standard-J Edition | V9.1.0B | RHEL-AS4(x86)/ RHEL-AS4(EM64T)/ RHEL5(x86)/ RHEL5(Intel64) | FJSVapcst | T010232LP-02 |
Interstage Application Server Standard-J Edition | V9.2.0 | RHEL-AS4(x86)/ RHEL-AS4(EM64T)/ RHEL5(x86)/ RHEL5(Intel64) | FJSVapcst | T010232LP-02 |
Interstage Application Server Standard-J Edition | V9.3.1 | RHEL-AS4(x86)/ RHEL-AS4(EM64T)/ RHEL5(x86)/ RHEL5(Intel64)/ RHEL6(x86)/ RHEL6(Intel64) | FJSVapcst | T010232LP-02 |
Interstage Application Server Standard-J Edition | V10.0.0 | RHEL5(x86)/ RHEL5(Intel64)/ RHEL6(x86)/ RHEL6(Intel64) | FJSVapcst | T010232LP-02 |
Interstage Application Server Standard-J Edition | V11.0.0 | RHEL5(x86)/ RHEL5(Intel64)/ RHEL6(x86)/ RHEL6(Intel64) | FJSVapcst | T010232LP-02 |
Interstage Application Server Enterprise Edition | V6.0.0 | Solaris 7/ Solaris 8/ Solaris 9 | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V7.0.0 | Solaris 8/ Solaris 9 | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V7.0.1 | Solaris 8/ Solaris 9/ Solaris 10 | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V8.0.0 | Solaris 9/ Solaris 10 | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V8.0.2 | Solaris 9/ Solaris 10 | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V9.0.0 | Solaris 9/ Solaris 10 | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V9.0.0B | Solaris 9/ Solaris 10 | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V9.1.0 | Solaris 9/ Solaris 10 | FJSVapcst | T010234SP-02 |
Interstage Application Server Enterprise Edition | V9.1.0B | Solaris 9/ Solaris 10 | FJSVapcst | T010234SP-02 |
Interstage Application Server Enterprise Edition | V9.2.0 | Solaris 9/ Solaris 10 | FJSVapcst | T010234SP-02 |
Interstage Application Server Enterprise Edition | V10.0.0 | Solaris 9/ Solaris 10 | FJSVapcst | T010234SP-02 |
Interstage Application Server Enterprise Edition | V11.0.0 | Solaris 10/ Solaris 11 | FJSVapcst | T010234SP-02 |
Interstage Application Server Plus | V7.0.0 | Solaris 8/ Solaris 9 | FJSVapcst | Pending* |
Interstage Application Server Plus | V7.0.1 | Solaris 8/ Solaris 9/ Solaris 10 | FJSVapcst | Pending* |
Interstage Application Server Standard-J Edition | V8.0.0 | Solaris 9/ Solaris 10 | FJSVapcst | Pending* |
Interstage Application Server Standard-J Edition | V8.0.2 | Solaris 9/ Solaris 10 | FJSVapcst | Pending* |
Interstage Application Server Standard-J Edition | V9.0.0 | Solaris 9/ Solaris 10 | FJSVapcst | Pending* |
Interstage Application Server Standard-J Edition | V9.1.0 | Solaris 9/ Solaris 10 | FJSVapcst | T010234SP-02 |
Interstage Application Server Standard-J Edition | V9.1.0B | Solaris 9/ Solaris 10 | FJSVapcst | T010234SP-02 |
Interstage Application Server Standard-J Edition | V9.2.0 | Solaris 9/ Solaris 10 | FJSVapcst | T010234SP-02 |
Interstage Application Server Standard-J Edition | V10.0.0 | Solaris 9/ Solaris 10 | FJSVapcst | T010234SP-02 |
Interstage Application Server Standard-J Edition | V11.0.0 | Solaris 10/ Solaris 11 | FJSVapcst | T010234SP-02 |
Interstage Application Server Enterprise Edition | V8.0.0 | Windows Server 2003(IPF) | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V9.0.0 | Windows Server 2003(IPF) | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V9.1.0 | Windows Server 2003(IPF)/ Windows Server 2008(IPF) | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V9.2.0 | Windows Server 2003(IPF)/ Windows Server 2008(IPF) | FJSVapcst | Pending* |
Interstage Application Server Standard-J Edition | V9.0.0 | Windows Server 2003(IPF) | FJSVapcst | Pending* |
Interstage Application Server Standard-J Edition | V9.1.0 | Windows Server 2003(IPF)/ Windows Server 2008(IPF) | FJSVapcst | Pending* |
Interstage Application Server Standard-J Edition | V9.2.0 | Windows Server 2003(IPF)/ Windows Server 2008(IPF) | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V9.2.0 | Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008 | FJSVapcst | T010236XP-02 |
Interstage Application Server Enterprise Edition | V10.0.0 | Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows Server 2008 R2 | FJSVapcst | T010236XP-02 |
Interstage Application Server Enterprise Edition | V11.0.0 | Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows Server 2008 R2/ Windows Server 2012 | FJSVapcst | T010236XP-02 |
Interstage Application Server Standard-J Edition | V9.2.0 | Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008 | FJSVapcst | T010236XP-02 |
Interstage Application Server Standard-J Edition | V10.0.0 | Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows Server 2008 R2 | FJSVapcst | T010236XP-02 |
Interstage Application Server Standard-J Edition | V11.0.0 | Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows Server 2008 R2/ Windows Server 2012 | FJSVapcst | T010236XP-02 |
Interstage Application Server Enterprise Edition | V6.0L10 | Windows NT Server / Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V7.0L10 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V7.0L11 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V8.0.0 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V8.0.1 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V8.0.2 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V9.0.0 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V9.0.0A | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | Pending* |
Interstage Application Server Enterprise Edition | V9.1.0 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | FJSVapcst | T010233WP-02 |
Interstage Application Server Enterprise Edition | V9.1.0B | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | FJSVapcst | T010233WP-02 |
Interstage Application Server Enterprise Edition | V9.2.0 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | FJSVapcst | T010233WP-02 |
Interstage Application Server Enterprise Edition | V10.0.0 | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | FJSVapcst | T010233WP-02 |
Interstage Application Server Enterprise Edition | V11.0.0 | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows Server 2012/ Windows Server 2012 R2 | FJSVapcst | T010233WP-02 |
Interstage Application Server Plus | V6.0L10 | Windows NT Server / Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | Pending* |
Interstage Application Server Plus | V7.0L10 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | Pending* |
Interstage Application Server Plus | V7.0L11 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | Pending* |
Interstage Application Server Plus Developer | V6.0L10 | Windows XP/ Windows NT/ Windows 2000/ Windows Server 2003 | FJSVapcst | Pending* |
Interstage Application Server Plus Developer | V7.0L10 | Windows XP/ Windows NT/ Windows 2000/ Windows Server 2003 | FJSVapcst | Pending* |
Interstage Application Server Standard-J Edition | V8.0.0 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | Pending* |
Interstage Application Server Standard-J Edition | V8.0.1 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | Pending* |
Interstage Application Server Standard-J Edition | V8.0.2 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | Pending* |
Interstage Application Server Standard-J Edition | V9.0.0 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | Pending* |
Interstage Application Server Standard-J Edition | V9.0.0A | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | Pending* |
Interstage Application Server Standard-J Edition | V9.0.0B | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | Pending* |
Interstage Application Server Standard-J Edition | V9.1.0 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | FJSVapcst | T010233WP-02 |
Interstage Application Server Standard-J Edition | V9.1.0B | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | FJSVapcst | T010233WP-02 |
Interstage Application Server Standard-J Edition | V9.2.0 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | FJSVapcst | T010233WP-02 |
Interstage Application Server Standard-J Edition | V10.0.0 | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | FJSVapcst | T010233WP-02 |
Interstage Application Server Standard-J Edition | V11.0.0 | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows Server 2012/ Windows Server 2012 R2 | FJSVapcst | T010233WP-02 |
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Interstage Apworks Modelers-J Edition | V6.0L10 | Windows 98/ Windows Me/ Windows XP/ Windows NT/ Windows 2000/ Windows Server 2003 | FJSVapcst | Pending* |
Interstage Apworks Modelers-J Edition | V6.0L10A | Windows 98/ Windows Me/ Windows XP/ Windows NT/ Windows 2000/ Windows Server 2003 | FJSVapcst | Pending* |
Interstage Apworks Modelers-J Edition | V7.0L11 | Windows 98/ Windows Me/ Windows XP/ Windows 2000/ Windows Server 2003 | FJSVapcst | Pending* |
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Interstage Interaction Manager | V10.1.0 | RHEL5(Intel64)/ RHEL6(Intel64) | FJSVapcst | T010232LP-02 |
Interstage Interaction Manager | V10.1.0 | Windows Server 2008 R2/ Windows Server 2012/ Windows Server 2012 R2 | FJSVapcst | T010236XP-02 |
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Interstage Studio Enterprise Edition | V8.0.1 | Windows XP/ Windows 2000/ Windows Server 2003/ Windows Vista | FJSVapcst | Pending* |
Interstage Studio Enterprise Edition | V9.0.0 | Windows XP/ Windows 2000/ Windows Server 2003/ Windows Vista | FJSVapcst | Pending* |
Interstage Studio Enterprise Edition | V9.1.0 | Windows XP/ Windows 2000/ Windows Server 2003/ Windows Vista/ Windows Server 2008 | FJSVapcst | T010233WP-02 |
Interstage Studio Enterprise Edition | V9.1.0B | Windows XP/ Windows 2000/ Windows Server 2003/ Windows Vista/ Windows Server 2008 | FJSVapcst | T010233WP-02 |
Interstage Studio Enterprise Edition | V9.2.0 | Windows XP/ Windows 2000/ Windows Server 2003/ Windows Vista/ Windows Server 2008/ Windows 7 | FJSVapcst | T010233WP-02 |
Interstage Studio Standard-J Edition | V8.0.1 | Windows XP/ Windows 2000/ Windows Server 2003/ Windows Vista | FJSVapcst | Pending* |
Interstage Studio Standard-J Edition | V9.0.0 | Windows XP/ Windows 2000/ Windows Server 2003/ Windows Vista | FJSVapcst | Pending* |
Interstage Studio Standard-J Edition | V9.1.0 | Windows XP/ Windows 2000/ Windows Server 2003/ Windows Vista/ Windows Server 2008 | FJSVapcst | T010233WP-02 |
Interstage Studio Standard-J Edition | V9.1.0B | Windows XP/ Windows 2000/ Windows Server 2003/ Windows Vista/ Windows Server 2008 | FJSVapcst | T010233WP-02 |
Interstage Studio Standard-J Edition | V9.2.0 | Windows XP/ Windows 2000/ Windows Server 2003/ Windows Vista/ Windows Server 2008/ Windows 7 | FJSVapcst | T010233WP-02 |
Interstage Studio Standard-J Edition | V10.0.0 | Windows XP/ Windows Server 2003/ Windows Vista/ Windows Server 2008/ Windows 7 | FJSVapcst | T010233WP-02 |
Interstage Studio Standard-J Edition | V11.0.0 | Windows XP/ Windows Server 2003/ Windows Vista/ Windows Server 2008/ Windows 7/ Windows Server 2012/ Windows 8 | FJSVapcst | T010233WP-02 |
For the Patches, please contact a Fujitsu system engineer or your partner(s).
Note: Determining the affected product
Please confirm the version of the product by "Software manual" appended to the product.
3-3. Workaround
No workaround exists.
4. Related information
- CVE-2016-1182
Apache Struts 1 vulnerable to input validation bypass
JVN: http://jvn.jp/en/jp/JVN65044642/index.html
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1182
5. Revision history
- June 7th, 2016: Initial release