GTM-MQNC2Z4
Skip to main content
  1. Home >
  2. Support >
  3. Products >
  4. Software >
  5. Security >
  6. Fujitsu Patch & TA Information >
  7. This page provides Security Information.

Interstage Business Process Manager Analytics: Vulnerability of arbitrary code Executing (CVE-2013-2248, CVE-2013-2251). November 6th, 2013


Notes on using this web page

1. Description

There is a vulnerability of the arbitrary code executing in Apache Struts2 that Interstage Business Process Manager Analytics(BPMA) uses as a base of the server section.
This vulnerability allows an attacker to execute an arbitrary code by giving a specific URL to BPMA.

Fujitsu provides security patches shown in 3.
Please apply them as soon as possible.

2. Impact

The attacker gives a specific parameter to URL of BPMA, and there is a possibility of executing the arbitrary code on the server.

For a severity assessment of this vulnerability, see NVD information in "4. Related information".

3. Affected systems and corresponding action

3-1. Affected systems:

GP7000F, PRIMEPOWER, GP-S, PRIMERGY, GP5000, SPARC

3-2. Affected products and required patch

Interstage Business Process Manager Analytics
Products Version Target OS Package name Patch ID.
Interstage Business Process Manager Analytics 12.0 Windows Server 2003/ 2008 - T008832WP-02
Interstage Business Process Manager Analytics 12.0 RHEL 5.x/ 6.x FJSVibpma T008833LP-02
Interstage Business Process Manager Analytics 12.1 Windows Server 2003/ 2008/ 2012 - T008834WP-02
Interstage Business Process Manager Analytics 12.1 RHEL 5.x/ 6.x FJSVibpma T008835LP-02
Interstage Business Process Manager Analytics 12.1 Solaris 11 FJSVibpma T008837SP-02

For the Patches, please contact a Fujitsu system engineer or your partner(s).

Note: Determining the affected product

  • In Windows
    space
    1. Click the "Start" button and select "Programs".
    2. Select the "Interstage Business Process Manager Analytics" product.
    3. Open the software instruction file.
    4. Confirm the product name and version level written at the head of the file.
  • In Linux
    space
    1. Execute the following command in the console window: #rpm -qi FJSVibpma
    2. The product version level is displayed.
  • In Solaris
    space
    1. Execute the following command in the console window: #pkginfo -l FJSVibpma
    2. The product version level is displayed.

3-3. Workaround

The IPS product is introduced and the Executing of URL including the following parameters is prohibited.

action, redirect, redirectAction

4. Related information

  1. National Vulnerability Database (NVD): CVE-2013-2248
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2248
  2. National Vulnerability Database (NVD): CVE-2013-2251
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2251

5. Revision history

  • November 6th, 2013:
    The initial patch is updated because there is an issue in the patch.
    Patch IDs of "3-2. Affected products and required patch" are updated.
  • September 4th, 2013: Initial release

Services & Products

Corporate Information

Country Selector

Global

Change

World Map