[Japanese]

JVNDB-2007-001091

Cosminexus Application Server Incorrect Group Permission Handling Vulnerability

Overview

When a logical J2EE server or logical user server is started from Cosminexus Manager in Cosminexus Application Server, Cosminexus Manager may assign the wrong user's group permissions to an activated server process.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.6 (Medium) [IPA Score]
  • Access Vector: Local
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


Hitachi, Ltd
  • Cosminexus Application Server Standard Version 6
  • Cosminexus Application Server Enterprise Version 6
  • uCosminexus Application Server Standard
  • uCosminexus Application Server Enterprise
  • uCosminexus Service Platform
  • Electronic Form Workflow Standard Set
  • Electronic Form Workflow Professional Library Set

Impact

An attacker could exploit the vulnerability to obtain otherwise-unauthorized group permissions of other users.
Solution

Please refer to the 'Vendor Information' section for official remediation and take appropriate action.
Vendor Information

Hitachi, Ltd
  • Hitachi Software Vulnerability Information : HS07-025
CWE (What is CWE?)

  1. Permissions(CWE-264) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2007-4564
References

  1. National Vulnerability Database (NVD) : CVE-2007-4564
  2. Secunia Advisory : SA26589
  3. SecurityFocus : 25434
  4. ISS X-Force Database : 36245
Revision History

  • [2008/05/21]
      Web page published