Denial of service (DoS) and cross-site scripting (XSS) vulnerabilities in Interstage HTTP Server June 5th, 2006
1. Background and Detected problem(s)
The following 3 security vulnerabilities were discovered in the Interstage HTTP Server included in Interstage Application Server and Interstage Apworks.
- Denial of service (DoS) vulnerability in operation using SSL.
- Cross-site scripting vulnerability when using the image map function.
This vulnerability corresponds to CVE-2005-3352. - Denial of service (DoS) and arbitrary code execution vulnerabilities in the online collation function.
This vulnerability corresponds to CVE-2006-0150.
Fujitsu provides security patches shown in 3.
Please apply them as soon as possible.
2. Method to temporarily avoid the problem
None.
3. Corresponding system and Patch information
Corresponding system : GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, FMV, PRIMEQUEST
Products | Target OS | Package name | Patch ID. |
---|---|---|---|
Interstage Application Server Enterprise Edition V5.0 for Windows | Windows | F3FMihs | TP08431 |
Interstage Application Server Standard Edition V5.0 for Windows | Windows | F3FMihs | TP08431 |
Interstage Application Server Web-J Edition V5.0 for Windows | Windows | F3FMihs | TP08431 |
Interstage Application Server Plus V5.0.1 for Windows | Windows | F3FMihs | - |
Interstage Application Server Plus Developer V5.0.1 for Windows | Windows | F3FMihs | - |
Interstage Application Server Enterprise Edition V6.0 for Windows | Windows | F3FMihs | - |
Interstage Application Server Plus V6.0 for Windows | Windows | F3FMihs | - |
Interstage Application Server Plus Developer V6.0 for Windows | Windows | F3FMihs | - |
Interstage Application Server Enterprise Edition V7.0 for Windows | Windows | F3FMihs | TP38431 |
Interstage Application Server Plus V7.0 for Windows | Windows | F3FMihs | TP38431 |
Interstage Application Server Plus Developer V7.0 for Windows | Windows | F3FMihs | TP38431 |
Interstage Application Server Enterprise Edition V7.0.1 for Windows | Windows | F3FMihs | TP38431 |
Interstage Application Server Plus V7.0.1 for Windows | Windows | F3FMihs | TP38431 |
Interstage Apworks Modelers-J Edition V6.0 for Windows | Windows | F3FMihs | - |
Interstage Apworks Modelers-J Edition V6.0A for Windows | Windows | F3FMihs | - |
Interstage Apworks Modelers-J Edition V7.0 for Windows | Windows | F3FMihs | TP38431 |
Interstage Application Server Enterprise Edition 5.0 | Solaris | FJSVihs | 912327-08 |
Interstage Application Server Standard Edition 5.0 | Solaris | FJSVihs | 912327-08 |
Interstage Application Server Web-J Edition 5.0 | Solaris | FJSVihs | 912327-08 |
Interstage Application Server Enterprise Edition 5.0.1 | Solaris | FJSVihs | - |
Interstage Application Server Enterprise Edition 6.0 | Solaris | FJSVihs | - |
Interstage Application Server Enterprise Edition 7.0 | Solaris | FJSVihs | T013RS-03 |
Interstage Application Server Plus 7.0 | Solaris | FJSVihs | T013RS-03 |
Interstage Application Server Enterprise Edition 7.0.1 | Solaris | FJSVihs | T023AS-01 |
Interstage Application Server Plus 7.0.1 | Solaris | FJSVihs | T023AS-01 |
Interstage Application Server Enterprise Edition V5.0 * | Turbolinux 7 Server | FJSVihs | T00019-07 |
Interstage Application Server Standard Edition V5.0 * | Turbolinux 7 Server | FJSVihs | T00019-07 |
Interstage Application Server Web-J Edition V5.0 * | Turbolinux 7 Server | FJSVihs | T00019-07 |
Interstage Application Server Enterprise Edition V6.0 * | RHEL-AS3(x86)/ES3(x86) | FJSVihs | - |
Interstage Application Server Enterprise Edition V7.0 | RHEL-AS4(IPF) | FJSVihs | - |
Interstage Application Server Enterprise Edition V7.0 | RHEL-AS3(x86)/ES3(x86) | FJSVihs | T00603-02 |
Interstage Application Server Plus V7.0 | RHEL-AS3(x86)/ES3(x86) | FJSVihs | T00603-02 |
Interstage Application Server Enterprise Edition V7.0.1 | RHEL-AS3(x86)/ES3(x86)/AS4(x86) | FJSVihs | T00603-02 |
Interstage Application Server Plus V7.0.1 | RHEL-AS3(x86)/ES3(x86)/AS4(x86) | FJSVihs | T00603-02 |
Note) The products described with * are not vulnerable to 3), because online collation function is not supported.
For the Patches without ID or link, please contact a Fujitsu system engineer.
4. Revision history
- June 5th, 2006 : Initial release