JRE reflection APIs vulnerability February 17th, 2006

This bulletin provides security information about the reports to CERT/CC, the coordination center, or detected by Fujitsu's own examination by the published date.

Products developed by third parties may be included as subject products. Information about such third party products may be exactly the same as provided by the respective third party.

The contents of this bulletin are provided "AS IS" without warranties of any kind, either express or implied (including, without limitation, any implied warranty of merchantability, fitness for a particular purpose and non-infringement). In no event shall Fujitsu be liable for any direct, indirect, special, incidental, consequential, punitive, or any other damages of any kind, including, without limitation, loss of profits and loss of data incurred by a customer arising out of, or in connection with, the use or non-use of any information in this bulletin, even if Fujitsu has been advised of the possibility of such damages.

The information contained in this bulletin will be updated from time to time without notice. Therefore, all customers are advised to always ascertain the latest information. In case of redistribution of this security bulletin, the full text of this statement shall be reproduced.


[Outline]
ProblemJRE reflection APIs vulnerability
ManufacturerFujitsu Limited
Corresponding productsInterstage Application Server/ Interstage Apworks / Systemwalker Centric Manager/ NetCOBOL
For more detail, see 5.
Corresponding systemsGP7000F, PRIMEPOWER, PRIMERGY, FMV

ImpactThe use of reflection APIs in the Java(TM) Runtime Environment may independently allow an untrusted applet to elevate its privileges. For example an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.
Method to temporarily avoid the problemThere is no workaround for this issue unless you download and install all appropriate patches. To prevent this vulnerability from being used to exploit your system, never download untrusted applets via the Internet.
PatchSome

1. Background

The use of reflection APIs in the Java(TM) Runtime Environment, included in the products described above (Corresponding products), may independently allow an untrusted applet to elevate its privileges. For example an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.

The affected releases are following:
JRE1.3.0 to 1.3.0_04
JRE1.3.1 to 1.3.1_16
JRE1.4.0 to 1.4.0_04
JRE1.4.1 to 1.4.1_07
JRE1.4.2 to 1.4.2_09
JRE5.0 to 5.0 Update 5


This problem is announced as Sun Alert 102003 and Sun Alert 102171.


2. Range of corresponding system(s)

Corresponding
command/file
ProductsTarget OS
Web browser(Java applet)See 5.See 5.
javaSee 5.See 5.


This problem can occur in the following situation:
-When a user has enabled Java applets and has unrestricted access to Web servers (as in a Web client).

3. Detected problem(s)

The use of reflection APIs in the Java(TM) Runtime Environment may independently allow an untrusted applet to elevate its privileges.


4. Method to temporarily avoid the problem

There is no workaround for this issue unless you download and install all appropriate patches. To prevent this vulnerability from being used to exploit your system, never download untrusted applets via the Internet.


5. Patch information

Affected products
ProductsTarget OSPackage namePatch ID.
Interstage Application Server Plus Developer V7.0Windows-*
Interstage Apworks Client Runtime Package V7.0Windows-*
Interstage Apworks Modelers-J Edition V7.0Windows-*
Interstage Application Server Enterprise Edition V7.0 Client PackageWindows-*
Interstage Application Server Enterprise Edition V7.0.1 Client PackageWindows-*
Interstage Application Server Plus V7.0 Client PackageWindows-*
Interstage Application Server Plus V7.0.1 Client PackageWindows-*
Solaris Interstage Application Server Enterprise Edition 7.0 Client PackageWindows-*
Solaris Interstage Application Server Enterprise Edition 7.0.1 Client PackageWindows-*
Solaris Interstage Application Server Plus 7.0 Client PackageWindows-*
Solaris Interstage Application Server Plus 7.0.1 Client PackageWindows-*
Linux Interstage Application Server Enterprise Edition V7.0 Client PackageWindows-*
Linux Interstage Application Server Plus V7.0 Client PackageWindows-*
Linux64 Interstage Application Server Enterprise Edition V7.0 Client PackageWindows-*
Interstage Application Server Plus Developer V6.0Windows-*
Interstage Apworks Client Runtime Package V6.0Windows-*
Interstage Apworks Modelers-J Edition V6.0L10Windows-*
Interstage Apworks Modelers-J Edition V6.0L10AWindows-*
Interstage Application Server Enterprise Edition V6.0 Client PackageWindows-*
Interstage Application Server Plus V6.0 Client PackageWindows-*
Solaris Interstage Application Server Enterprise Edition 6.0 Client PackageWindows-*
Linux Interstage Application Server Enterprise Edition V6.0 Client PackageWindows-*
Interstage Apworks Client Runtime Package V5.0.1Windows-*
Interstage Application Server Plus Developer V5.0.1Windows-*
Interstage Application Server Plus V5.0.1 Client PackageWindows-*
Solaris Interstage Application Server Enterprise Edition 5.0.1 Client PackageWindows-*
Interstage Apworks V5.0Windows-*
Interstage Apworks Client Runtime Package V5.0Windows-*
Interstage Application Server Enterprise Edition V5.0 Client PackageWindows-*
Interstage Application Server Standard Edition V5.0 Client PackageWindows-*
Solaris Interstage Application Server Standard Edition 5.0 Client PackageWindows-*
Linux Interstage Application Server Enterprise Edition V5.0 Client PackageWindows-*
Linux Interstage Application Server Standard Edition V5.0 Client PackageWindows-*
HP-UX INTERSTAGE Application Server Standard Edition 4.1 Client PackageWindows-*
Linux INTERSTAGE Application Server Enterprise Edition 4.1 Client PackageWindows-*
Linux INTERSTAGE Application Server Standard Edition 4.1 Client PackageWindows-*
APWORKS Client Runtime Package V4.0Windows-*
INTERSTAGE APWORKS V4.0Windows-*
INTERSTAGE Application Server Enterprise Edition V4.0 Client PackageWindows-*
INTERSTAGE Application Server Standard Edition V4.0 Client PackageWindows-*
Solaris INTERSTAGE Application Server Enterprise Edition 4.0 Client PackageWindows-*
Solaris INTERSTAGE Application Server Standard Edition 4.0 Client PackageWindows-*
Interstage Application Server Enterprise Edition V7.0Windows-*
Interstage Application Server Enterprise Edition V7.0.1Windows-*
Interstage Application Server Plus V7.0Windows-*
Interstage Application Server Plus V7.0.1Windows-*
Interstage Application Server Enterprise Edition V6.0Windows-*
Interstage Application Server Plus V6.0Windows-*
Interstage Application Server Plus V5.0.1Windows-*
Interstage Application Server Enterprise Edition V5.0Windows-*
Interstage Application Server Standard Edition V5.0Windows-*
Interstage Application Server Web-J Edition V5.0Windows-*
INTERSTAGE Application Server Enterprise Edition V4.0Windows-*
INTERSTAGE Application Server Standard Edition V4.0Windows-*
INTERSTAGE Application Server Web-J Edition V4.0Windows-*
INTERSTAGE Application Server Enterprise Edition V3.0Windows-*
INTERSTAGE Application Server Standard Edition V3.0Windows-*
Interstage Application Server Enterprise Edition 7.0Solaris-*
Interstage Application Server Enterprise Edition 7.0.1Solaris-*
Interstage Application Server Plus 7.0Solaris-*
Interstage Application Server Plus 7.0.1Solaris-*
Interstage Application Server Enterprise Edition 6.0Solaris-*
Interstage Application Server Standard Edition 5.0Solaris-*
Interstage Application Server Web-J Edition 5.0Solaris-*
Interstage Application Server Enterprise Edition 5.0.1Solaris-*
INTERSTAGE Application Server Enterprise Edition 4.0Solaris-*
INTERSTAGE Application Server Standard Edition 4.0Solaris-*
INTERSTAGE Application Server Web-J Edition 4.0Solaris-*
INTERSTAGE Application Server Enterprise Edition 3.0Solaris-*
INTERSTAGE Application Server Standard Edition 3.0Solaris-*
Systemwalker Centric Manager Global Enterprise Edition 11.0Solaris-*
Interstage Application Server Enterprise Edition V7.0RHEL-AS3/RHEL-ES3-*
Interstage Application Server Plus V7.0RHEL-AS3/RHEL-ES3-*
Interstage Application Server Enterprise Edition V6.0RHEL-AS3/RHEL-ES3-*
Interstage Application Server Enterprise Edition V5.0Turbolinux-*
Interstage Application Server Standard Edition V5.0Turbolinux-*
Interstage Application Server Web-J Edition V5.0Turbolinux-*
INTERSTAGE Application Server Enterprise Edition 4.1Turbolinux-*
INTERSTAGE Application Server Standard Edition 4.1Turbolinux-*
INTERSTAGE Application Server Web-J Edition 4.1Turbolinux-*
NetCOBOL for Linux V7.0L10Red Hat Linux 7-*
Interstage Application Server Enterprise Edition V7.0RHEL-AS4(IPF)-*


* For the Patches without ID nor link, please contact a Fujitsu system engineer or your partner(s).

Products that require affected products
Products that require affected productsTarget OSAffected products
Interstage Portalworks V5.0 for LinuxLinuxInterstage Application Server Enterprise Edition V5.0 or Interstage Application Server Standard Edition V5.0 or Interstage Application Server Web-J Edition V5.0
Interstage Portalworks V5.0.1 for LinuxLinuxInterstage Application Server Enterprise Edition V5.0 or Interstage Application Server Standard Edition V5.0 or Interstage Application Server Web-J Edition V5.0
Interstage Portalworks V6.0 for LinuxLinuxInterstage Application Server Enterprise Edition V6.0
Interstage Shunsaku Data Manager Enterprise Edition V7.0L10LinuxInterstage Application Server Plus V7.0L10
Interstage CollaborationRing Business Connector 6.0SolarisInterstage Application Server Enterprise Edition 5.0.1
Interstage CollaborationRing Process Manager 6.0SolarisInterstage Application Server Standard Edition 5.0 or Interstage Application Server Enterprise Edition 5.0.1
INTERSTAGE CollaborationRing PM 4.0SolarisINTERSTAGE Application Server Standard Edition 4.0 or INTERSTAGE Application Server Enterprise Edition 4.0
Interstage CollaborationRing PM 5.0SolarisInterstage Application Server Standard Edition 5.0 or Interstage Application Server Enterprise Edition 5.0.1
INTERSTAGE CollaborationRing TPM 4.0SolarisINTERSTAGE Application Server Enterprise Edition 4.0
Interstage CollaborationRing TPM 5.0SolarisInterstage Application Server Enterprise Edition 5.0.1
Interstage Contentwiz 5.0 for SolarisSolarisInterstage Application Server Standard Edition 5.0 or Interstage Application Server Enterprise Edition 5.0
Interstage List Manager Enterprise Edition 7.0SolarisInterstage Application Server Enterprise Edition 6.0
Interstage List Manager Standard Edition 7.0SolarisInterstage Application Server Enterprise Edition 6.0
INTERSTAGE PortalWorks 4.0SolarisINTERSTAGE Application Server Enterprise Edition 4.0 or INTERSTAGE Application Server Standard Edition 4.0 or INTERSTAGE Application Server Web-J Edition 4.0
Interstage Portalworks 5.0SolarisInterstage Application Server Enterprise Edition 5.0.1 or Interstage Application Server Standard Edition 5.0 or Interstage Application Server Web-J Edition 5.0
Interstage Portalworks 5.0.1SolarisInterstage Application Server Enterprise Edition 5.0.1
Interstage Portalworks 6.0SolarisInterstage Application Server Enterprise Edition 6.0
INTERSTAGE PortalWorks ContentWiz 4.0SolarisINTERSTAGE Application Server Standard Edition 4.0 or INTERSTAGE Application Server Web-J Edition 4.0
Interstage Shunsaku Data Manager Enterprise Edition 7.0SolarisInterstage Application Server Plus 7.0
Interstage Business Process Manager Enterprise Edition V7.0 for WindowsWindowsInterstage Application Server Enterprise Edition V7.0 or Interstage Application Server Plus V7.0
Interstage CollaborationRing Business Connector V6.0 for WindowsWindowsInterstage Application Server Enterprise Edition V5.0
Interstage CollaborationRing Process Manager V6.0 for WindowsWindowsInterstage Application Server Standard Edition V5.0 or Interstage Application Server Enterprise Edition V5.0
INTERSTAGE CollaborationRing PM V4.0 for WindowsWindowsINTERSTAGE Application Server Standard Edition V4.0 or INTERSTAGE Application Server Enterprise Edition V4.0
Interstage CollaborationRing PM V5.0 for WindowsWindowsInterstage Application Server Standard Edition V5.0 or Interstage Application Server Enterprise Edition V5.0
INTERSTAGE CollaborationRing TPM V4.0 for WindowsWindowsINTERSTAGE Application Enterprise Edition V4.0
Interstage CollaborationRing TPM V5.0 for WindowsWindowsInterstage Application Server Enterprise Edition V5.0
Interstage Contentbiz V6.0 for WindowsWindowsInterstage Application Server Enterprise Edition V6.0 or Interstage Application Server Plus V6.0
Interstage Contentbiz V6.1 for WindowsWindowsInterstage Application Server Enterprise Edition V6.0 or Interstage Application Server Plus V6.0
Interstage Contentbiz V7.0 for WindowsWindowsInterstage Application Server Enterprise Edition V7.0 or Interstage Application Server Plus V7.0
Interstage Contentwiz V5.0 for WindowsWindowsInterstage Application Server Standard Edition V5.0 or Interstage Application Server Enterprise Edition V5.0
INTERSTAGE PortalWorks V4.0 for WindowsWindowsINTERSTAGE Application Server Enterprise Edition V4.0, INTERSTAGE Application Server Standard Edition V4.0 or INTERSTAGE Application Server Web-J Edition V4.0
Interstage Portalworks V5.0 for Windows V5.0WindowsInterstage Application Server Enterprise Edition V5.0, Interstage Application Server Standard Edition V5.0 or Interstage Application Server Web-J Edition V5.0
Interstage Portalworks V5.0 for Windows V5.0.1WindowsInterstage Application Server Enterprise Edition V5.0, Interstage Application Server Standard Edition V5.0, Interstage Application Server Web-J Edition V5.0 or Interstage Application Server Plus V5.0.1
Interstage Portalworks V6.0 for WindowsWindowsInterstage Application Server Enterprise Edition V6.0 or Interstage Application Server Plus V6.0
INTERSTAGE PortalWorks ContentWiz V4.0WindowsINTERSTAGE Application Server Standard Edition V4.0 or INTERSTAGE Application Server Web-J Edition V4.0
Interstage Shunsaku Data Manager Enterprise Edition V7.0L10WindowsInterstage Application Server Plus V7.0L10
Interstage XWand Manager V7.0 for Windows (Server)WindowsInterstage Application Server Enterprise Edition V7.0 or Interstage Application Server Plus V7.0

Please apply appropriate patches, described above, to your affected products as soon as they are available.


6. Revision history

  • February 17th, 2006 : Modified products in "5. Patch information"
    Modified information of "1. Background"
  • January 26th, 2006 : Modified "5. Patch information"
  • January 13th, 2006 : Added patch in "5. Patch information"
    Added products in "5. Patch information" and "Corresponding products"
  • December 22nd, 2005 :Added products and "Products that require affected products" in "5. Patch information" and "Corresponding products"
  • December 19th, 2005 : Added products in "5. Patch information"
  • December 13th, 2005 : Initial release

Top of Page