[Japanese]

JVNDB-2006-000992

Multiple Vulnerabilities Concerning Hitachi Web Server

Overview

Hitachi Web Server has vulnerabilities listed below:

1. A vulnerability that allows to roll back the Open SSL version when using the SSL.

2. Cross-site scripting vulnerability in contents created automatically by the Hitachi Web Server.

3. Cross-site scripting vulnerability due to inadequate processing of the Expect header.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Hitachi, Ltd
  • Cosminexus Application Server Enterprise Version 6
  • Cosminexus Application Server Standard Version 6
  • Cosminexus Application Server Version 5
  • Cosminexus Developer Light Version 6
  • Cosminexus Developer Professional Version 6
  • Cosminexus Developer Standard Version 6
  • Cosminexus Developer Version 5
  • Cosminexus Server - Enterprise Edition
  • Cosminexus Server - Standard Edition
  • Cosminexus Server - Standard Edition Version 4
  • Cosminexus Server - Web Edition
  • Cosminexus Server - Web Edition Version 4
  • Hitachi Web Server
  • Hitachi Web Server - Custom Edition
  • Hitachi Web Server - Security Enhancement
  • Hitachi Web Server for VOS3
  • uCosminexus Application Server Enterprise
  • uCosminexus Application Server Smart Edition
  • uCosminexus Application Server Standard
  • uCosminexus Developer Professional
  • uCosminexus Developer Light
  • uCosminexus Developer Standard
  • uCosminexus Service Architect
  • uCosminexus Service Platform

Please refer to HS06-022 provided by Hitachi for more details.
Impact

1. When using the SSL, there is the possibility an attacker could deceptively alter the protocol, forcing the use of SSL version 2.

2. and 3. An attacker could insert malicious script.
Solution

Please refer to the 'Vendor Information' section for official countermeasure and take appropriate action.
Vendor Information

Hitachi, Ltd
  • Hitachi Software Vulnerability Information : HS06-022
CWE (What is CWE?)

  1. Cross-site Scripting(CWE-79) [IPA Evaluation]
  2. No Mapping(CWE-noinfo) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2005-2969
  2. CVE-2005-3352
  3. CVE-2006-3918
  4. CVE-2007-0514
References

  1. National Vulnerability Database (NVD) : CVE-2005-2969
  2. National Vulnerability Database (NVD) : CVE-2005-3352
  3. National Vulnerability Database (NVD) : CVE-2006-3918
  4. National Vulnerability Database (NVD) : CVE-2007-0514
  5. JVN iPedia (Japanese) : JVNDB-2006-000992
Revision History

  • [2009/02/04]
      Web page published
    [2014/05/22]
      References : Contents were added