[Japanese]

JVNDB-2007-000772

Hitachi Web Server SSL Client Authentication Vulnerability

Overview

Hitachi Web Server accepts an SSL certificate sent by a clinet trying to connect to the Server even if the certificate is fraudulent.

The vulnerability does not affect the product if the SSL authenticaton client feature is disabled.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


Hitachi, Ltd
  • Cosminexus Application Server Enterprise Version 6
  • Cosminexus Application Server Standard Version 6
  • Cosminexus Application Server Version 5
  • Cosminexus Developer Light Version 6
  • Cosminexus Developer Professional Version 6
  • Cosminexus Developer Standard Version 6
  • Cosminexus Developer Version 5
  • Cosminexus Server - Enterprise Edition
  • Cosminexus Server - Standard Edition
  • Cosminexus Server - Standard Edition Version 4
  • Cosminexus Server - Web Edition
  • Cosminexus Server - Web Edition Version 4
  • Hitachi Web Server
  • uCosminexus Application Server Enterprise
  • uCosminexus Application Server Standard
  • uCosminexus Developer Professional
  • uCosminexus Developer Light
  • uCosminexus Developer Standard
  • uCosminexus Service Architect
  • uCosminexus Service Platform

Please refer to HS07-034 provided by Hitachi for more details.
Impact

An attacker could gain access with a fraudulent certificate.
Solution

Please refer to the 'Vendor Information' section for official remediation and take appropriate action.
Vendor Information

Hitachi, Ltd
  • Hitachi Software Vulnerability Information : HS07-034
CWE (What is CWE?)

  1. Improper Input Validation(CWE-20) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2007-5810
  2. CVE-2006-4339
References

  1. National Vulnerability Database (NVD) : CVE-2007-5810
  2. National Vulnerability Database (NVD) : CVE-2006-4339
  3. Secunia Advisory : SA27421
  4. ISS X-Force Database : 28755
  5. FrSIRT Advisories : FrSIRT/ADV-2007-3666
Revision History

  • [2008/05/21]
      Web page published
    [2014/05/23]
      References : Contents were added