[Japanese]

JVNDB-2009-001741

Hitachi Web Server Vulnerability in SSL Client Authentication

Overview

Hitachi Web Server contains a vulnerability in handling SSL client
certificates, which could allow an attacker to manipulate environment
variables and/or spoof the client to access Web servers.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Hitachi, Ltd
  • Cosminexus Application Server Enterprise Version 6
  • Cosminexus Application Server Standard Version 6
  • Cosminexus Application Server Version 5
  • Cosminexus Developer Light Version 6
  • Cosminexus Developer Professional Version 6
  • Cosminexus Developer Standard Version 6
  • Cosminexus Developer Version 5
  • Cosminexus Server - Standard Edition Version 4
  • Cosminexus Server - Web Edition Version 4
  • Hitachi Web Server
  • Hitachi Web Server - Security Enhancement
  • uCosminexus Application Server Enterprise
  • uCosminexus Application Server Standard
  • uCosminexus Developer Professional
  • uCosminexus Developer Light
  • uCosminexus Developer Standard
  • uCosminexus Service Architect
  • uCosminexus Service Platform

Please refer to HS09-010 provided by Hitachi for more details.
Impact

An attacker could manipulate environment variables and/or spoof the
client to access Web servers by sending a fraudulent client certificate.
Solution

Please refer to the 'Vendor Information' section for the official
countermeasure and take appropriate action.
Vendor Information

Hitachi, Ltd
  • Hitachi Software Vulnerability Information : HS09-010
CWE (What is CWE?)

  1. No Mapping(CWE-noinfo) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2008-0555
References

  1. National Vulnerability Database (NVD) : CVE-2008-0555
Revision History

  • [2009/07/14]
      Web page published
    [2011/06/10]
      Affected Products : Modified Hitachi, Ltd (HS09-010).
    [2014/05/21]
      References : Contents were added