Jasmine: Multiple Vulnerabilities in WebLink template execution. March 2nd, 2009


Notes on using this web page

1. Description

Buffer overflow (BOF), Denial of Service (DoS) and Cross-site scripting (XSS) vulnerabilities have been discovered in the Jasmine WebLink template execution.

Fujitsu provides security patches shown in 3.
Please apply them as soon as possible.

2. Impact

  • Buffer overflow vulnerability
    An internet attacker (malicious third party) who gains access in a particular way to a website managed by Jasmine WebLink may execute arbitrary code or cause a Denial of Service condition.
  • Denial of Service (DoS) vulnerability
    An internet attacker (malicious third party) who gains access in a particular way to a website managed by Jasmine WebLink may cause a Denial of Service condition.
  • Cross-site scripting (XSS) vulnerability
    A malicious website manager who provides a web page exploiting this vulnerability on a target website managed by Jasmine WebLink may execute an arbitrary code on a computer of a user who accesses this web page.
    In addition to the above, the code may be executed as a trusted code if the victim user sets that site as a trusted site.
    Malicious code is as follows:
    • Read user input
    • Read or overwrite cookies
    • Forward information to third parties

3. Affected systems and corresponding action

3-1. Affected systems:

PRIMERGY, GRANPOWER5000, PRIMEPOWER, GP7000F Series

3-2. Affected products and required patch

Jasmine
ProductsTarget OSPackage namePatch ID.
Jasmine2000 Enterprise Edition for WindowsWindows 2000 Server/ NT Server 4.0-LFNW070806
Jasmine2000 Enterprise EditionSolaris 7-LFSW070808


* For the Patches, please contact a Fujitsu system engineer or your partner(s).

3-3. Workaround

  • Buffer overflow vulnerability
    None.
  • Denial of Service (DoS) vulnerability
    None.
  • Cross-site scripting (XSS) vulnerability
    Please do one of following workarounds.
    • Use < !CATCH > tag of WebLink
    • Display a customized page when an error of WebLink occurs

4. Related information

None.

5. Revision history

  • March 2nd, 2009: Initial release

Top of Page