[Japanese]

JVNDB-2010-001519

Improper Authentication Vulnerability in Handling of Revoked Certificate in Hitachi Web Server SSL Client Authentication

Overview

SSL client authentication in Hitachi Web Server has a vulnerability which allows an attacker to access a Hitachi Web Server using the client certificates registered in the Certification Revocation List (CRL).
This vulnerability does not apply if SSL or SSL client authentication is not in use. The vulnerability does affect the Cosminexus products bundled with Hitachi Web Server.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


Hitachi, Ltd
  • Hitachi Web Server
  • Hitachi Web Server - Security Enhancement

Impact

A remote attacker could access a Hitachi Web Server using the client certificates registered in CRL.
Solution

Please refer to the 'Vendor Information' section for the official countermeasure and take appropriate action.
Vendor Information

Hitachi, Ltd
  • Hitachi Software Vulnerability Information : HS10-009
CWE (What is CWE?)

  1. Improper Authentication(CWE-287) [IPA Evaluation]
CVE (What is CVE?)

References

Revision History

  • [2010/6/22]
      Web page published

Date Public2010/05/17
Date First Published2010/06/22
Date Last Updated2010/06/22