Interstage Business Process Manager Analytics: Vulnerability of arbitrary code Executing (CVE-2013-2248, CVE-2013-2251). November 6th, 2013

Notes on using this web page

1. Description

There is a vulnerability of the arbitrary code executing in Apache Struts2 that Interstage Business Process Manager Analytics(BPMA) uses as a base of the server section.
This vulnerability allows an attacker to execute an arbitrary code by giving a specific URL to BPMA.

Fujitsu provides security patches shown in 3.
Please apply them as soon as possible.

2. Impact

The attacker gives a specific parameter to URL of BPMA, and there is a possibility of executing the arbitrary code on the server.

For a severity assessment of this vulnerability, see NVD information in "4. Related information".

3. Affected systems and corresponding action

3-1. Affected systems:


3-2. Affected products and required patch

Interstage Business Process Manager Analytics
ProductsVersionTarget OSPackage namePatch ID.
Interstage Business Process Manager Analytics12.0Windows Server 2003/ 2008-T008832WP-02
Interstage Business Process Manager Analytics12.0RHEL 5.x/ 6.xFJSVibpmaT008833LP-02
Interstage Business Process Manager Analytics12.1Windows Server 2003/ 2008/ 2012-T008834WP-02
Interstage Business Process Manager Analytics12.1RHEL 5.x/ 6.xFJSVibpmaT008835LP-02
Interstage Business Process Manager Analytics12.1Solaris 11FJSVibpmaT008837SP-02

For the Patches, please contact a Fujitsu system engineer or your partner(s).

Note: Determining the affected product

  • In Windows
    1. Click the "Start" button and select "Programs".
    2. Select the "Interstage Business Process Manager Analytics" product.
    3. Open the software instruction file.
    4. Confirm the product name and version level written at the head of the file.
  • In Linux
    1. Execute the following command in the console window: #rpm -qi FJSVibpma
    2. The product version level is displayed.
  • In Solaris
    1. Execute the following command in the console window: #pkginfo -l FJSVibpma
    2. The product version level is displayed.

3-3. Workaround

The IPS product is introduced and the Executing of URL including the following parameters is prohibited.

action, redirect, redirectAction

4. Related information

  1. National Vulnerability Database (NVD): CVE-2013-2248
  2. National Vulnerability Database (NVD): CVE-2013-2251

5. Revision history

  • November 6th, 2013:
    The initial patch is updated because there is an issue in the patch.
    Patch IDs of "3-2. Affected products and required patch" are updated.
  • September 4th, 2013: Initial release

Top of Page