Interstage Application Server, Interstage Apworks, Interstage Interaction Manager, Interstage Studio: Apache Commons Fileupload vulnerability causes Denial of Service (CVE-2016-3092). August 9th, 2016
1. Description
Apache Commons Fileupload contains a vulnerability which causes Denial of Service.
Not all computers are exposed to the threat of the vulnerability even if the corresponding product is installed.
There is a possibility of this vulnerability affecting the computer in which the product is installed if Struts1 is enabled and used in a Web application.
This vulnerability exists when the web application can receive multipart requests.
For the solution, please refer to "3-3. Workaround".
2. Impact
This vulnerability allows a malicious user to exhaust the Web application's CPU resources. It may result in a DoS attack against the server.
3. Affected systems and corresponding action
3-1. Affected systems:
GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, AT compatible machine, PRIMEQUEST, SPARC Enterprise, Fujitsu SPARC Servers
3-2. Affected products and required patch
| Products | Version | Target OS | Package name | Patch ID. |
|---|---|---|---|---|
| Interstage Application Server Enterprise Edition | V7.0L10 | RHEL-AS4(IPF) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V8.0.0 | RHEL-AS4(IPF) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V8.0.1 | RHEL-AS4(IPF) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V8.0.2 | RHEL-AS4(IPF) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V9.0.0 | RHEL-AS4(IPF)/ RHEL5(IPF) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V9.0.0A | RHEL-AS4(IPF)/ RHEL5(IPF) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V9.1.0 | RHEL-AS4(IPF)/ RHEL5(IPF) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V9.2.0 | RHEL-AS4(IPF)/ RHEL5(IPF) | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V9.0.0 | RHEL-AS4(IPF)/ RHEL5(IPF) | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V9.1.0 | RHEL-AS4(IPF)/ RHEL5(IPF) | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V9.2.0 | RHEL-AS4(IPF)/ RHEL5(IPF) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V9.2.0 | RHEL5(Intel64) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V9.3.1 | RHEL5(Intel64)/ RHEL6(Intel64) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V10.0.0 | RHEL5(Intel64)/ RHEL6(Intel64) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V11.0.0 | RHEL5(Intel64)/ RHEL6(Intel64) | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V9.2.0 | RHEL5(Intel64) | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V9.3.1 | RHEL5(Intel64)/ RHEL6(Intel64) | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V10.0.0 | RHEL5(Intel64)/ RHEL6(Intel64) | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V11.0.0 | RHEL5(Intel64)/ RHEL6(Intel64) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V6.0L10 | RHEL-AS3(x86)/ RHEL-ES3(x86) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V7.0L10 | RHEL-AS3(x86)/ RHEL-ES3(x86) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V7.0L11 | RHEL-AS3(x86)/ RHEL-ES3(x86)/ RHEL-AS4(x86) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V8.0.0 | RHEL-AS4(x86)/ RHEL-AS4(EM64T) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V8.0.2 | RHEL-AS4(x86)/ RHEL-AS4(EM64T) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V9.0.0 | RHEL-AS4(x86)/ RHEL-AS4(EM64T)/ RHEL5(x86)/ RHEL5(Intel64) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V9.1.0 | RHEL-AS4(x86)/ RHEL-AS4(EM64T)/ RHEL5(x86)/ RHEL5(Intel64) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V9.1.0B | RHEL-AS4(x86)/ RHEL-AS4(EM64T)/ RHEL5(x86)/ RHEL5(Intel64) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V9.2.0 | RHEL-AS4(x86)/ RHEL-AS4(EM64T)/ RHEL5(x86)/ RHEL5(Intel64) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V9.3.1 | RHEL-AS4(x86)/ RHEL-AS4(EM64T)/ RHEL5(x86)/ RHEL5(Intel64)/ RHEL6(x86)/ RHEL6(Intel64) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V10.0.0 | RHEL5(x86)/ RHEL5(Intel64)/ RHEL6(x86)/ RHEL6(Intel64) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V11.0.0 | RHEL5(x86)/ RHEL5(Intel64)/ RHEL6(x86)/ RHEL6(Intel64) | FJSVapcst | None* |
| Interstage Application Server Plus | V7.0L10 | RHEL-AS3(x86)/ RHEL-ES3(x86) | FJSVapcst | None* |
| Interstage Application Server Plus | V7.0L11 | RHEL-AS3(x86)/ RHEL-ES3(x86)/ RHEL-AS4(x86) | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V8.0.0 | RHEL-AS4(x86)/ RHEL-AS4(EM64T) | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V8.0.2 | RHEL-AS4(x86)/ RHEL-AS4(EM64T) | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V9.0.0 | RHEL-AS4(x86)/ RHEL-AS4(EM64T)/ RHEL5(x86)/ RHEL5(Intel64) | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V9.1.0 | RHEL-AS4(x86)/ RHEL-AS4(EM64T)/ RHEL5(x86)/ RHEL5(Intel64) | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V9.1.0B | RHEL-AS4(x86)/ RHEL-AS4(EM64T)/ RHEL5(x86)/ RHEL5(Intel64) | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V9.2.0 | RHEL-AS4(x86)/ RHEL-AS4(EM64T)/ RHEL5(x86)/ RHEL5(Intel64) | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V9.3.1 | RHEL-AS4(x86)/ RHEL-AS4(EM64T)/ RHEL5(x86)/ RHEL5(Intel64)/ RHEL6(x86)/ RHEL6(Intel64) | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V10.0.0 | RHEL5(x86)/ RHEL5(Intel64)/ RHEL6(x86)/ RHEL6(Intel64) | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V11.0.0 | RHEL5(x86)/ RHEL5(Intel64)/ RHEL6(x86)/ RHEL6(Intel64) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V6.0.0 | Solaris 7/ Solaris 8/ Solaris 9 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V7.0.0 | Solaris 8/ Solaris 9 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V7.0.1 | Solaris 8/ Solaris 9/ Solaris 10 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V8.0.0 | Solaris 9/ Solaris 10 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V8.0.2 | Solaris 9/ Solaris 10 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V9.0.0 | Solaris 9/ Solaris 10 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V9.0.0B | Solaris 9/ Solaris 10 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V9.1.0 | Solaris 9/ Solaris 10 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V9.1.0B | Solaris 9/ Solaris 10 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V9.2.0 | Solaris 9/ Solaris 10 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V10.0.0 | Solaris 9/ Solaris 10 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V11.0.0 | Solaris 10/ Solaris 11 | FJSVapcst | None* |
| Interstage Application Server Plus | V7.0.0 | Solaris 8/ Solaris 9 | FJSVapcst | None* |
| Interstage Application Server Plus | V7.0.1 | Solaris 8/ Solaris 9/ Solaris 10 | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V8.0.0 | Solaris 9/ Solaris 10 | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V8.0.2 | Solaris 9/ Solaris 10 | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V9.0.0 | Solaris 9/ Solaris 10 | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V9.1.0 | Solaris 9/ Solaris 10 | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V9.1.0B | Solaris 9/ Solaris 10 | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V9.2.0 | Solaris 9/ Solaris 10 | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V10.0.0 | Solaris 9/ Solaris 10 | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V11.0.0 | Solaris 10/ Solaris 11 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V8.0.0 | Windows Server 2003(IPF) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V9.0.0 | Windows Server 2003(IPF) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V9.1.0 | Windows Server 2003(IPF)/ Windows Server 2008(IPF) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V9.2.0 | Windows Server 2003(IPF)/ Windows Server 2008(IPF) | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V9.0.0 | Windows Server 2003(IPF) | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V9.1.0 | Windows Server 2003(IPF)/ Windows Server 2008(IPF) | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V9.2.0 | Windows Server 2003(IPF)/ Windows Server 2008(IPF) | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V9.2.0 | Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V10.0.0 | Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows Server 2008 R2 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V11.0.0 | Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows Server 2008 R2/ Windows Server 2012 | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V9.2.0 | Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008 | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V10.0.0 | Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows Server 2008 R2 | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V11.0.0 | Windows(EM64T) Server 2003/ Windows(EM64T) Server 2003 R2/ Windows(EM64T) Server 2008/ Windows Server 2008 R2/ Windows Server 2012 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V6.0L10 | Windows NT Server / Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V7.0L10 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V7.0L11 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V8.0.0 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V8.0.1 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V8.0.2 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V9.0.0 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V9.0.0A | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V9.1.0 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V9.1.0B | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V9.2.0 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V10.0.0 | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | FJSVapcst | None* |
| Interstage Application Server Enterprise Edition | V11.0.0 | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows Server 2012/ Windows Server 2012 R2 | FJSVapcst | None* |
| Interstage Application Server Plus | V6.0L10 | Windows NT Server / Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | None* |
| Interstage Application Server Plus | V7.0L10 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | None* |
| Interstage Application Server Plus | V7.0L11 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | None* |
| Interstage Application Server Plus Developer | V6.0L10 | Windows XP/ Windows NT/ Windows 2000/ Windows Server 2003 | FJSVapcst | None* |
| Interstage Application Server Plus Developer | V7.0L10 | Windows XP/ Windows NT/ Windows 2000/ Windows Server 2003 | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V8.0.0 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V8.0.1 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V8.0.2 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V9.0.0 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V9.0.0A | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V9.0.0B | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2 | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V9.1.0 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V9.1.0B | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V9.2.0 | Windows 2000 Server / Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V10.0.0 | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2 | FJSVapcst | None* |
| Interstage Application Server Standard-J Edition | V11.0.0 | Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows Server 2012/ Windows Server 2012 R2 | FJSVapcst | None* |
| Products | Version | Target OS | Package name | Patch ID. |
|---|---|---|---|---|
| Interstage Apworks Modelers-J Edition | V6.0L10 | Windows 98/ Windows Me/ Windows XP/ Windows NT/ Windows 2000/ Windows Server 2003 | FJSVapcst | None* |
| Interstage Apworks Modelers-J Edition | V6.0L10A | Windows 98/ Windows Me/ Windows XP/ Windows NT/ Windows 2000/ Windows Server 2003 | FJSVapcst | None* |
| Interstage Apworks Modelers-J Edition | V7.0L11 | Windows 98/ Windows Me/ Windows XP/ Windows 2000/ Windows Server 2003 | FJSVapcst | None* |
| Products | Version | Target OS | Package name | Patch ID. |
|---|---|---|---|---|
| Interstage Studio Enterprise Edition | V8.0.1 | Windows XP/ Windows 2000/ Windows Server 2003/ Windows Vista | FJSVapcst | None* |
| Interstage Studio Enterprise Edition | V9.0.0 | Windows XP/ Windows 2000/ Windows Server 2003/ Windows Vista | FJSVapcst | None* |
| Interstage Studio Enterprise Edition | V9.1.0 | Windows XP/ Windows 2000/ Windows Server 2003/ Windows Vista/ Windows Server 2008 | FJSVapcst | None* |
| Interstage Studio Enterprise Edition | V9.1.0B | Windows XP/ Windows 2000/ Windows Server 2003/ Windows Vista/ Windows Server 2008 | FJSVapcst | None* |
| Interstage Studio Enterprise Edition | V9.2.0 | Windows XP/ Windows 2000/ Windows Server 2003/ Windows Vista/ Windows Server 2008/ Windows 7 | FJSVapcst | None* |
| Interstage Studio Standard-J Edition | V8.0.1 | Windows XP/ Windows 2000/ Windows Server 2003/ Windows Vista | FJSVapcst | None* |
| Interstage Studio Standard-J Edition | V9.0.0 | Windows XP/ Windows 2000/ Windows Server 2003/ Windows Vista | FJSVapcst | None* |
| Interstage Studio Standard-J Edition | V9.1.0 | Windows XP/ Windows 2000/ Windows Server 2003/ Windows Vista/ Windows Server 2008 | FJSVapcst | None* |
| Interstage Studio Standard-J Edition | V9.1.0B | Windows XP/ Windows 2000/ Windows Server 2003/ Windows Vista/ Windows Server 2008 | FJSVapcst | None* |
| Interstage Studio Standard-J Edition | V9.2.0 | Windows XP/ Windows 2000/ Windows Server 2003/ Windows Vista/ Windows Server 2008/ Windows 7 | FJSVapcst | None* |
| Interstage Studio Standard-J Edition | V10.0.0 | Windows XP/ Windows Server 2003/ Windows Vista/ Windows Server 2008/ Windows 7 | FJSVapcst | None* |
| Interstage Studio Standard-J Edition | V11.0.0 | Windows XP/ Windows Server 2003/ Windows Vista/ Windows Server 2008/ Windows 7/ Windows Server 2012/ Windows 8 | FJSVapcst | None* |
For the solution, please refer to "3-3. Workaround".
Note: Determining the affected product
Please confirm the version of the product by "Software manual" appended to the product.
3-3. Workaround
- Restrict the permitted maximum size of HTTP request header values to 2048 by Interstage HTTP Server's LimitRequestFieldSize directive or by Interstage Java EE 6's buffer-size-bytes property.
- Blocking multipart requests by WAFs(Web Application Firewall) or Interstage HTTP Server's RewriteCond directive if the web application does not need multipart requests.
- Delete commons-fileupload.jar from CLASSPATH entries if the web application does not need multipart requests.
- Get commons-fileupload-1.3.2.jar from Apache Software Foundation, and set it to CLASSPATH entries instead of the old commons-fileupload.jar. Moreover, get commons-io.jar from Apache Software Foundation, and add it to CLASSPATH entries if commons-io.jar does not exist in CLASSPATH entries.
4. Related information
- CVE-2016-3092
Apache Commons FileUpload vulnerable to denial-of-service (DoS) - www-announce mailing list archives
Apache Commons Fileupload information disclosure vulnerability(Apache Software Foundation Mail Archives)
5. Revision history
- August 9th, 2016 :
- Update "3-2. Affected products and required patch".
- Add workarounds to "3-3. Workaround".
- July 7th, 2016: Initial release
