Interstage Application Server: Others Information Disclosure Vulnerability(CVE-2008-4308). February 26th, 2009
1. Description
An information disclosure vulnerability is confirmed in the Servlet Service based on Tomcat 5.5. The content of the request posted to a web application running on the vulnerable system may be disclosed to a third person.
Fujitsu provides security patches shown in 3.
Please apply them as soon as possible.
2. Impact
A remote third person may get the information included in a request data of the other user. For example, password, session ID, user ID, etc.
3. Affected systems and corresponding action
3-1. Affected systems:
PRIMERGY, GP5000, CELSIUS, FMV series, AT compatible machine
3-2. Affected products and required patch
| Products | Target OS | Package name | Patch ID. |
|---|---|---|---|
| Interstage Application Server Enterprise Edition V9.0.0 for Windows | Windows Server 2003, 2000 Server | F3FMjs5 | * |
| Interstage Application Server Standard-J Edition V9.0.0 for Windows | Windows Server 2003, 2000 Server | F3FMjs5 | * |
| Interstage Application Server Enterprise Edition V9.0.0A for Windows | Windows Server 2003, 2000 Server | F3FMjs5 | * |
| Interstage Application Server Standard-J Edition V9.0.0A for Windows | Windows Server 2003, 2000 Server | F3FMjs5 | * |
* For the Patches, please contact a Fujitsu system engineer or your partner(s).
Note: Determining the affected product
The determining measures depends on the product, version and level. See the software guide or manual of your product.
3-3. Workaround
None.
4. Related information
This problem corresponds to the vulnerability of Apache Tomcat. (JVN#66905322/CVE-2008-4308)
- JVN#66905322: Apache Tomcat information disclosure vulnerability
http://jvn.jp/en/jp/JVN66905322/index.html - CVE-2008-4308: Tomcat information disclosure vulnerability
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4308
5. Revision history
- February 26th, 2009 : Initial release
