[Japanese]

JVNDB-2014-000053

JustSystems Online Update Program bundled with JustSystems products vulnerable to arbitrary code execution

Overview

"JUST Online Update" and "JUST Online Update for J-License and the management tools" that are bundled with multiple JustSystems products contain a flaw that allows the update program to be executed even if the signature of an update module is invalid.
Please note that this is a flaw in the online update program, not a flaw in each software itself.
CVSS Severity (What is CVSS?)

Base Metrics: 7.6 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete

Affected Products

All the products that bundle the following update program are affected.

JustSystems Corporation
  • JUST Online Update (for an individual user)
  • JUST Online Update for J-License and management tools (for a corporate user)

A wide range of products are affected. For more information, please refer to the developer's web site.
Impact

If a user execute a crafted update module, arbitrary code may be executed.
Solution

[Apply the Update]
Update "JUST Online Update" and "JUST Online Update for J-License and management tools" according to the information provided by the developer.

For more information, please refer to the developer's website.
Vendor Information

JustSystems Corporation
CWE (What is CWE?)

  1. No Mapping(CWE-noinfo) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-2003
References

  1. JVN : JVN#50129191
  2. National Vulnerability Database (NVD) : CVE-2014-2003
  3. IPA SECURITY ALERTS : About arbitrary code execution vulnerability of JustSystems Online Update Program bundled with JustSystems products (JVN#50129191) (in Japanese)
Revision History

[2014/06/11]
  Web page was published
[2014/06/17]
  References : Content was added