[Japanese]

JVNDB-2007-001133

Cosminexus Component Container Session Handling Vulnerability

Overview

The session failover function in Cosminexus Component Container may fail to handle session information properly and allow one user's session data to be used as aonther user's session data.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.9 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Hitachi, Ltd
  • Cosminexus Application Server Enterprise Version 6
  • Cosminexus Application Server Standard Version 6
  • Cosminexus Collaboration Server
  • Cosminexus Component Container
  • Cosminexus Developer Standard Version 6
  • Cosminexus Developer Professional Version 6
  • Cosminexus Developer Light Version 6
  • Cosminexus ERP Integrator
  • Cosminexus/OpenTP1 Web Front-end Set
  • Groupmax Collaboration Server
  • uCosminexus Application Server Enterprise
  • uCosminexus Application Server Standard
  • uCosminexus Collaboration Server
  • uCosminexus Developer Standard
  • uCosminexus Developer Professional
  • uCosminexus Developer Light
  • uCosminexus ERP Integrator
  • uCosminexus Service Platform
  • uCosminexus Service Architect
  • uCosminexus/OpenTP1 Web Front-end Set
  • Electronic Form Workflow Standard Set
  • Electronic Form Workflow Professional Library Set
  • Electronic Form Workflow Developer Client Set

Impact

A remote attacker could gain unauthorized access to other users' session and obtain sensitive information.
Solution

Please refer to the 'Vendor Information' section for official remediation and take appropriate action.
Vendor Information

Hitachi, Ltd
  • Hitachi Software Vulnerability Information : HS07-024
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2007-4124
References

  1. National Vulnerability Database (NVD) : CVE-2007-4124
  2. Secunia Advisory : SA26250
  3. SecurityFocus : 25145
  4. ISS X-Force Database : 35706
  5. FrSIRT Advisories : FrSIRT/ADV-2007-2725
Revision History

  • [2008/05/21]
      Web page published