Interstage Application Server: Buffer Overflow Vulnerability(CVE-2007-6258). October 27th, 2010
1. Description
A buffer overflow vulnerability is confirmed in the Servlet Service.
2. Impact
This vulnerability may allow a remote third person to execute arbitrary code.
For a severity assessment of this vulnerability, see National Vulnerability Database information in "4. Related information".(Japanese only).
3. Affected systems and corresponding action
3-1. Affected systems:
GP7000F, PRIMEPOWER, SPARC Enterprise, PRIMERGY, GP5000, CELSIUS, FMV series, AT compatible machines, PRIMEQUEST
3-2. Affected products and required patch
| Products | Target OS | Package name | Patch ID. |
|---|---|---|---|
| Interstage Application Server Enterprise Edition 6.0 | Solaris 7, 8, 9 | FJSVjs4 | * |
| Interstage Application Server Enterprise Edition 7.0 | Solaris 8, 9 | FJSVjs4 | * |
| Interstage Application Server Enterprise Edition 7.0.1 | Solaris 8, 9, 10 | FJSVjs4 | * |
| Interstage Application Server Enterprise Edition V8.0.0 | Solaris 9, 10 | FJSVjs4 | * |
| Interstage Application Server Enterprise Edition V8.0.2 | Solaris 9, 10 | FJSVjs4 | * |
| Interstage Application Server Enterprise Edition V9.0.0 | Solaris 9, 10 | FJSVjs5 | * |
| Interstage Application Server Standard-J Edition V8.0.0 | Solaris 9, 10 | FJSVjs4 | * |
| Interstage Application Server Standard-J Edition V8.0.2 | Solaris 9, 10 | FJSVjs4 | * |
| Interstage Application Server Standard-J Edition V9.0.0 | Solaris 9, 10 | FJSVjs5 | * |
| Interstage Application Server Plus 7.0 | Solaris 8, 9 | FJSVjs4 | * |
| Interstage Application Server Plus 7.0.1 | Solaris 8, 9, 10 | FJSVjs4 | * |
| Interstage Application Server Enterprise Edition V6.0 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs4 | * |
| Interstage Application Server Enterprise Edition V7.0 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
| Interstage Application Server Enterprise Edition V7.0.1 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
| Interstage Application Server Enterprise Edition V8.0.0 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
| Interstage Application Server Enterprise Edition V8.0.1 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
| Interstage Application Server Enterprise Edition V8.0.2 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
| Interstage Application Server Enterprise Edition V9.0.0 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs5 | * |
| Interstage Application Server Enterprise Edition V9.0.0A for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs5 | * |
| Interstage Application Server Standard-J Edition V8.0.0 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
| Interstage Application Server Standard-J Edition V8.0.1 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
| Interstage Application Server Standard-J Edition V8.0.2 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
| Interstage Application Server Standard-J Edition V9.0.0 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs5 | * |
| Interstage Application Server Standard-J Edition V9.0.0A for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs5 | * |
| Interstage Application Server Plus V6.0 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows NT Server 4.0 | F3FMjs4 | * |
| Interstage Application Server Plus V7.0 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
| Interstage Application Server Plus V7.0.1 for Windows | Windows Server 2003/ Windows 2000 Server | F3FMjs4 | * |
| Interstage Application Server Plus Developer V6.0 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows NT Server 4.0/ Windows XP | F3FMjs4 | * |
| Interstage Application Server Plus Developer V7.0 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows XP | F3FMjs4 | * |
| Interstage Application Server Enterprise Edition V8.0.0 for Windows | Windows Server 2003(IPF) | F3FMjs4 | * |
| Interstage Application Server Enterprise Edition V9.0.0 for Windows | Windows Server 2003(IPF) | F3FMjs5 | * |
| Interstage Application Server Standard-J Edition V9.0.0 for Windows | Windows Server 2003(IPF) | F3FMjs5 | * |
| Interstage Application Server Enterprise Edition V6.0 for Linux | RHEL-AS3(x86)/ ES3(x86) | FJSVjs4 | * |
| Interstage Application Server Enterprise Edition V7.0 for Linux | RHEL-AS3(x86)/ ES3(x86) | FJSVjs4 | * |
| Interstage Application Server Enterprise Edition V7.0.1 for Linux | RHEL-AS3(x86)/ ES3(x86) | FJSVjs4 | * |
| Interstage Application Server Enterprise Edition V8.0.0 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | * |
| Interstage Application Server Enterprise Edition V8.0.2 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | * |
| Interstage Application Server Enterprise Edition V9.0.0 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs5 | * |
| Interstage Application Server Enterprise Edition V9.0.0 for Linux | RHEL5(x86)/ RHEL5(Intel64) | FJSVjs5 | * |
| Interstage Application Server Standard-J Edition V8.0.0 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | * |
| Interstage Application Server Standard-J Edition V8.0.2 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs4 | * |
| Interstage Application Server Standard-J Edition V9.0.0 for Linux | RHEL-AS4(x86)/ AS4(EM64T) | FJSVjs5 | * |
| Interstage Application Server Standard-J Edition V9.0.0 for Linux | RHEL5(x86)/ RHEL5(Intel64) | FJSVjs5 | * |
| Interstage Application Server Plus V7.0 for Linux | RHEL-AS3(x86)/ ES3(x86) | FJSVjs4 | * |
| Interstage Application Server Plus V7.0.1 for Linux | RHEL-AS3(x86)/ ES3(x86) | FJSVjs4 | * |
| Interstage Application Server Enterprise Edition V7.0 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
| Interstage Application Server Enterprise Edition V8.0.0 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
| Interstage Application Server Enterprise Edition V8.0.1 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
| Interstage Application Server Enterprise Edition V8.0.2 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
| Interstage Application Server Enterprise Edition V9.0.0 for Linux | RHEL-AS4(IPF) | FJSVjs5 | * |
| Interstage Application Server Enterprise Edition V9.0.0 for Linux | RHEL5(IPF) | FJSVjs5 | * |
| Interstage Application Server Enterprise Edition V9.0.0A for Linux | RHEL-AS4(IPF) | FJSVjs5 | * |
| Interstage Application Server Enterprise Edition V9.0.0A for Linux | RHEL5(IPF) | FJSVjs5 | * |
| Interstage Application Server Standard-J Edition V9.0.0 for Linux | RHEL-AS4(IPF) | FJSVjs5 | * |
| Interstage Application Server Standard-J Edition V9.0.0 for Linux | RHEL5(IPF) | FJSVjs5 | * |
| Products | Target OS | Package name | Patch ID. |
|---|---|---|---|
| Interstage Apworks Modelers-J Edition V6.0 for Windows | Windows 2000 Server/ Windows XP | F3FMjs4 | * |
| Interstage Apworks Modelers-J Edition V6.0A for Windows | Windows 2000 Server/ Windows XP | F3FMjs4 | * |
| Interstage Apworks Modelers-J Edition V7.0 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows XP | F3FMjs4 | * |
| Interstage Studio Enterprise Edition 8.0.1 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows XP | F3FMjs4 | * |
| Interstage Studio Enterprise Edition 9.0.0 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows XP/ Windows Vista | F3FMjs5 | * |
| Interstage Studio Standard-J Edition 8.0.1 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows XP | F3FMjs4 | * |
| Interstage Studio Standard-J Edition 9.0.0 for Windows | Windows Server 2003/ Windows 2000 Server/ Windows XP/ Windows Vista | F3FMjs5 | * |
| Products | Target OS | Package name | Patch ID. |
|---|---|---|---|
| Interstage Business Application Server Enterprise Edition 8.0.0 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
| Products | Target OS | Package name | Patch ID. |
|---|---|---|---|
| Interstage Job Workload Server 8.1.0 for Linux | RHEL-AS4(IPF) | FJSVjs4 | * |
* For the Patches without ID nor link, please contact a Fujitsu system engineer or your partner(s).
Note: Determining the affected product
- [V6 series]
- Solaris
To see package information on the FJSVisas package, the following command can be run:
pkginfo -l FJSVisas - Windows
See the title in the Software Release Guide.
[Start]
-> [Program]
-> [Interstage]
-> [Application Server | Apworks]
-> [Software Release Guide] - Linux
To see package information on the FJSVisas package, the following command can be run:
rpm -q FJSVisas
- Solaris
- [V7 series or later]
Use the isprintvl command.
isprintvl
3-3. Workaround
None.
4. Related information
This problem corresponds to the following vulnerabilities.
- VU#771937:
Apache mod_jk2 host header buffer overflow
http://www.kb.cert.org/vuls/id/771937 - NVD-ID: CVE-2007-6258
Vulnerability Summary for CVE-2007-6258
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6258 - CVE-2007-6258
Apache mod_jk2 multiple stack-based buffer overflows vulnerability
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6258
5. Revision history
- October 27th, 2010: Initial release
