Denial of service (DoS) and cross-site scripting (XSS) vulnerabilities in Interstage HTTP Server June 5th, 2006

1. Background and Detected problem(s)

The following 3 security vulnerabilities were discovered in the Interstage HTTP Server included in Interstage Application Server and Interstage Apworks.

Denial of service (DoS) vulnerability in operation using SSL.
Cross-site scripting vulnerability when using the image map function.
This vulnerability corresponds to CVE-2005-3352.
Denial of service (DoS) and arbitrary code execution vulnerabilities in the online collation function.
This vulnerability corresponds to CVE-2006-0150.

Fujitsu provides security patches shown in 3.
Please apply them as soon as possible.

2. Method to temporarily avoid the problem

None.

3. Corresponding system and Patch information

Corresponding system : GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, FMV, PRIMEQUEST

Products	Target OS	Package name	Patch ID.
Interstage Application Server Enterprise Edition V5.0 for Windows	Windows	F3FMihs	TP08431
Interstage Application Server Standard Edition V5.0 for Windows	Windows	F3FMihs	TP08431
Interstage Application Server Web-J Edition V5.0 for Windows	Windows	F3FMihs	TP08431
Interstage Application Server Plus V5.0.1 for Windows	Windows	F3FMihs	-
Interstage Application Server Plus Developer V5.0.1 for Windows	Windows	F3FMihs	-
Interstage Application Server Enterprise Edition V6.0 for Windows	Windows	F3FMihs	-
Interstage Application Server Plus V6.0 for Windows	Windows	F3FMihs	-
Interstage Application Server Plus Developer V6.0 for Windows	Windows	F3FMihs	-
Interstage Application Server Enterprise Edition V7.0 for Windows	Windows	F3FMihs	TP38431
Interstage Application Server Plus V7.0 for Windows	Windows	F3FMihs	TP38431
Interstage Application Server Plus Developer V7.0 for Windows	Windows	F3FMihs	TP38431
Interstage Application Server Enterprise Edition V7.0.1 for Windows	Windows	F3FMihs	TP38431
Interstage Application Server Plus V7.0.1 for Windows	Windows	F3FMihs	TP38431
Interstage Apworks Modelers-J Edition V6.0 for Windows	Windows	F3FMihs	-
Interstage Apworks Modelers-J Edition V6.0A for Windows	Windows	F3FMihs	-
Interstage Apworks Modelers-J Edition V7.0 for Windows	Windows	F3FMihs	TP38431
Interstage Application Server Enterprise Edition 5.0	Solaris	FJSVihs	912327-08
Interstage Application Server Standard Edition 5.0	Solaris	FJSVihs	912327-08
Interstage Application Server Web-J Edition 5.0	Solaris	FJSVihs	912327-08
Interstage Application Server Enterprise Edition 5.0.1	Solaris	FJSVihs	-
Interstage Application Server Enterprise Edition 6.0	Solaris	FJSVihs	-
Interstage Application Server Enterprise Edition 7.0	Solaris	FJSVihs	T013RS-03
Interstage Application Server Plus 7.0	Solaris	FJSVihs	T013RS-03
Interstage Application Server Enterprise Edition 7.0.1	Solaris	FJSVihs	T023AS-01
Interstage Application Server Plus 7.0.1	Solaris	FJSVihs	T023AS-01
Interstage Application Server Enterprise Edition V5.0 *	Turbolinux 7 Server	FJSVihs	T00019-07
Interstage Application Server Standard Edition V5.0 *	Turbolinux 7 Server	FJSVihs	T00019-07
Interstage Application Server Web-J Edition V5.0 *	Turbolinux 7 Server	FJSVihs	T00019-07
Interstage Application Server Enterprise Edition V6.0 *	RHEL-AS3(x86)/ES3(x86)	FJSVihs	-
Interstage Application Server Enterprise Edition V7.0	RHEL-AS4(IPF)	FJSVihs	-
Interstage Application Server Enterprise Edition V7.0	RHEL-AS3(x86)/ES3(x86)	FJSVihs	T00603-02
Interstage Application Server Plus V7.0	RHEL-AS3(x86)/ES3(x86)	FJSVihs	T00603-02
Interstage Application Server Enterprise Edition V7.0.1	RHEL-AS3(x86)/ES3(x86)/AS4(x86)	FJSVihs	T00603-02
Interstage Application Server Plus V7.0.1	RHEL-AS3(x86)/ES3(x86)/AS4(x86)	FJSVihs	T00603-02

Note) The products described with * are not vulnerable to 3), because online collation function is not supported.
For the Patches without ID or link, please contact a Fujitsu system engineer.

4. Revision history

June 5th, 2006 : Initial release