1. Home
  2. support
  3. products
  4. Software
  5. Security
  6. Two Security Vulnerabilities in Interstage HTTP Server (CVE-2009-3094/ CVE-2009-3095). December 10th, 2010

Two Security Vulnerabilities in Interstage HTTP Server (CVE-2009-3094/ CVE-2009-3095). December 10th, 2010

Notes on using this web page

1. Description

Interstage Application Server and Interstage Studio were affected by the security vulnerabilities below:

  1. The vulnerability leading to Denial of Service (DoS) was confirmed in the FTP proxy function of Interstage HTTP Server. This vulnerability corresponds to CVE-2009-3094.
  2. The vulnerability that allows to send an arbitrary FTP command was confirmed in the FTP proxy function of Interstage HTTP Server. This vulnerability corresponds to CVE-2009-3095.

Fujitsu provides security patches shown in 3.
Please apply them as soon as possible.

2. Impact

  1. A modified request sent by a remote attacker might cause Denial of Service (DoS).
  2. A modified request sent by a remote attacker might cause arbitrary FTP commands to be executed in the FTP server.

3. Affected systems and corresponding action

3-1. Affected systems:

GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, AT-compatible machine, PRIMEQUEST, SPARC Enterprise

3-2. Affected products and required patch

Interstage Application Server
ProductsVersionTarget OSPackage namePatch ID.
Interstage Application Server Enterprise Edition for Windows [*a *b]V9.0.0/ V9.0.0AWindows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2F3FMihsT001001WP-05
Interstage Application Server Enterprise Edition for Windows [*a *b]V9.1.0/ V9.1.0BWindows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008F3FMihsT002174WP-03
Interstage Application Server Enterprise Edition for Windows [*a *b]V9.2.0Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2F3FMihsT004344WP-02
Interstage Application Server Standard-J Edition for Windows [*a *b]V9.0.0/ V9.0.0A/ V9.0.0BWindows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2F3FMihsT001001WP-05
Interstage Application Server Standard-J Edition for Windows [*a *b]V9.1.0/ V9.1.0BWindows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008F3FMihsT002174WP-03
Interstage Application Server Standard-J Edition for Windows [*a *b]V9.2.0Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2F3FMihsT004344WP-02
Interstage Application Server Enterprise Edition for Windows [*a *b]V9.0.0Windows Server 2003(IPF)/ Windows Server 2003 R2(IPF)F3FMihsT001005IP-04
Interstage Application Server Enterprise Edition for Windows [*a *b]V9.1.0Windows Server 2003(IPF)/ Windows Server 2003 R2(IPF)/ Windows Server 2008(IPF)F3FMihsT002175IP-03
Interstage Application Server Enterprise Edition for Windows [*a *b]V9.2.0Windows Server 2003(IPF)/ Windows Server 2003 R2(IPF)/ Windows Server 2008(IPF)F3FMihsT004345IP-02
Interstage Application Server Standard-J Edition for Windows [*a *b]V9.0.0Windows Server 2003(IPF)/ Windows Server 2003 R2(IPF)F3FMihsT001005IP-04
Interstage Application Server Standard-J Edition for Windows [*a *b]V9.1.0Windows Server 2003(IPF)/ Windows Server 2003 R2(IPF)/ Windows Server 2008(IPF)F3FMihsT002175IP-03
Interstage Application Server Standard-J Edition for Windows [*a *b]V9.2.0Windows Server 2003(IPF)/ Windows Server 2003 R2(IPF)/ Windows Server 2008(IPF)F3FMihsT004345IP-02
Interstage Application Server Enterprise Edition for Windows [*a *b]V9.2.0Windows Server 2003(EM64T)/ Windows Server 2003 R2(EM64T)/ Windows Server 2008(EM64T)/ Windows Server 2008 R2(EM64T)F3FMihsT004346XP-02
Interstage Application Server Standard-J Edition for Windows [*a *b]V9.2.0Windows Server 2003(EM64T)/ Windows Server 2003 R2(EM64T)/ Windows Server 2008(EM64T)/ Windows Server 2008 R2(EM64T)F3FMihsT004346XP-02
Interstage Application Server Enterprise Edition [*b]V9.0.0/ V9.0.0BSolaris 9/ 10FJSVihsT001004SP-06
Interstage Application Server Enterprise Edition [*b]V9.1.0/ V9.1.0BSolaris 9/ 10FJSVihsT002180SP-04
Interstage Application Server Enterprise Edition [*b]V9.2.0Solaris 9/ 10FJSVihsT004343SP-02
Interstage Application Server Standard-J Edition [*b]V9.0.0Solaris 9/ 10FJSVihsT001004SP-06
Interstage Application Server Standard-J Edition [*b]V9.1.0/ V9.1.0BSolaris 9/ 10FJSVihsT002180SP-04
Interstage Application Server Standard-J Edition [*b]V9.2.0Solaris 9/ 10FJSVihsT004343SP-02
Interstage Application Server Enterprise Edition for Linux [*b]V9.0.0RHEL-AS4(x86)/ AS4(EM64T)FJSVihsT001003LP-04
Interstage Application Server Enterprise Edition for Linux [*b]V9.1.0/ V9.1.0BRHEL-AS4(x86)/ AS4(EM64T)FJSVihsT002176LP-03
Interstage Application Server Enterprise Edition for Linux [*b]V9.2.0RHEL-AS4(x86)/ AS4(EM64T)FJSVihsT004338LP-02
Interstage Application Server Standard-J Edition for Linux [*b]V9.0.0RHEL-AS4(x86)/ AS4(EM64T)FJSVihsT001003LP-04
Interstage Application Server Standard-J Edition for Linux [*b]V9.1.0/ V9.1.0BRHEL-AS4(x86)/ AS4(EM64T)FJSVihsT002176LP-03
Interstage Application Server Standard-J Edition for Linux [*b]V9.2.0RHEL-AS4(x86)/ AS4(EM64T)FJSVihsT004338LP-02
Interstage Application Server Enterprise Edition for Linux [*b]V9.0.0RHEL5(x86)/ RHEL5(Intel64)FJSVihsT001044LP-04
Interstage Application Server Enterprise Edition for Linux [*b]V9.1.0/ V9.1.0BRHEL5(x86)/ RHEL5(Intel64)FJSVihsT002177LP-03
Interstage Application Server Enterprise Edition for Linux [*b]V9.2.0RHEL5(x86)/ RHEL5(Intel64)FJSVihsT004339LP-02
Interstage Application Server Standard-J Edition for Linux [*b]V9.0.0RHEL5(x86)/ RHEL5(Intel64)FJSVihsT001044LP-04
Interstage Application Server Standard-J Edition for Linux [*b]V9.1.0/ V9.1.0BRHEL5(x86)/ RHEL5(Intel64)FJSVihsT002177LP-03
Interstage Application Server Standard-J Edition for Linux [*b]V9.2.0RHEL5(x86)/ RHEL5(Intel64)FJSVihsT004339LP-02
Interstage Application Server Enterprise Edition for Linux [*b]V9.0.0/ V9.0.0ARHEL-AS4(IPF)FJSVihsT001002QP-04
Interstage Application Server Enterprise Edition for Linux [*b]V9.1.0RHEL-AS4(IPF)FJSVihsT002178QP-03
Interstage Application Server Enterprise Edition for Linux [*b]V9.2.0RHEL-AS4(IPF)FJSVihsT004340QP-02
Interstage Application Server Standard-J Edition for Linux [*b]V9.0.0RHEL-AS4(IPF)FJSVihsT001002QP-04
Interstage Application Server Standard-J Edition for Linux [*b]V9.1.0RHEL-AS4(IPF)FJSVihsT002178QP-03
Interstage Application Server Standard-J Edition for Linux [*b]V9.2.0RHEL-AS4(IPF)FJSVihsT004340QP-02
Interstage Application Server Enterprise Edition for Linux [*b]V9.0.0/ V9.0.0ARHEL5(IPF)FJSVihsT001043QP-04
Interstage Application Server Enterprise Edition for Linux [*b]V9.1.0RHEL5(IPF)FJSVihsT002179QP-03
Interstage Application Server Enterprise Edition for Linux [*b]V9.2.0RHEL5(IPF)FJSVihsT004341QP-02
Interstage Application Server Standard-J Edition for Linux [*b]V9.0.0RHEL5(IPF)FJSVihsT001043QP-04
Interstage Application Server Standard-J Edition for Linux [*b]V9.1.0RHEL5(IPF)FJSVihsT002179QP-03
Interstage Application Server Standard-J Edition for Linux [*b]V9.2.0RHEL5(IPF)FJSVihsT004341QP-02
Interstage Application Server Enterprise Edition for Linux [*b]V9.2.0RHEL5(Intel64)FJSVihsT004342LP-02
Interstage Application Server Standard-J Edition for Linux [*b]V9.2.0RHEL5(Intel64)FJSVihsT004342LP-02
Interstage Studio
ProductsVersionTarget OSPackage namePatch ID.
Interstage Studio Enterprise Edition for Windows [*a *b]V9.0.0Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows XP/ Windows VistaF3FMihsT001001WP-05
Interstage Studio Enterprise Edition for Windows [*a *b]V9.1.0/ V9.1.0BWindows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows XP/ Windows VistaF3FMihsT002174WP-03
Interstage Studio Enterprise Edition for Windows [*a *b]V9.2.0Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows XP/ Windows Vista/ Windows 7F3FMihsT004344WP-02
Interstage Studio Standard-J Edition for Windows [*a *b]V9.0.0Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows XP/ Windows VistaF3FMihsT001001WP-05
Interstage Studio Standard-J Edition for Windows [*a *b]V9.1.0/ V9.1.0BWindows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows XP/ Windows VistaF3FMihsT002174WP-03
Interstage Studio Standard-J Edition for Windows [*a *b]V9.2.0Windows 2000 Server/ Windows Server 2003/ Windows Server 2003 R2/ Windows Server 2008/ Windows Server 2008 R2/ Windows XP/ Windows Vista/ Windows 7F3FMihsT004344WP-02

[*a] The effect of CVE-2009-3094
[*b] The effect of CVE-2009-3095

Note: Determining the affected product
To check the software version, refer to the "FUJITSU SOFTWARE RELEASE GUIDE" supplied with the product.

3-3. Workaround

None.

4. Related information

  1. CVE-2009-3094
    The ap_proxy_ftp_handler function in modules/proxy/proxy_ftp.c in the mod_proxy_ftp module in the Apache HTTP Server 2.0.63 and 2.2.13 allows remote FTP servers to cause a denial of service (NULL pointer dereference and child process crash) via a malformed reply to an EPSV command.
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3094
  2. CVE-2009-3095
    The mod_proxy_ftp module in the Apache HTTP Server allows remote attackers to bypass intended access restrictions and send arbitrary commands to an FTP server via vectors related to the embedding of these commands in the Authorization HTTP header, as demonstrated by a certain module in VulnDisco Pack Professional 8.11.
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3095

5. Revision history

  • December 10th, 2010: Initial release

Top of Page