[Japanese]

JVNDB-2015-000001

Cybozu Remote Service Manager vulnerable to denial-of-service (DoS)

Overview

Remote Service Manager contains a denial-of-service (DoS) vulnerability.

Remote Service Manager provided by Cybozu, Inc. is a software to access internal systems such as Cybozu products via "Cybozu Remote Service". Remote Service Manager contains a denial-of-service (DoS) vulnerability.

Note that this vulnerability was caused due to an incomplete fix of JVN#10319260.

Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 7.1 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Complete
Affected Products


Cybozu, Inc.
  • Remote Service Manager 2.3.0 and earlier
  • Remote Service Manager 3.1.2 and earlier

According to the developer, if server.xml of Tomcat is configured according to the developer's instructions, Remote Service Manager 3.1.2 will not be affected.
Impact

An attacker may cause a denial-of-service (DoS) condition for a server that is running Remote Service Manager. As a result, "Cybozu Remote Service" may be disrupted.
Solution

For Remote Service Manager 3.1.2:
[Change the settings]
Change the settings file (server.xml), according to the instructions provided by the developer.

For Remote Service Manager 3.1.1 and earlier:
[Update the software and change the settings]
Apply the update and change the settings file (server.xml), according to the instructions provided by the developer.
Vendor Information

Cybozu, Inc.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-7266
References

  1. JVN : JVN#13566542
  2. JVN : JVN#10319260
  3. National Vulnerability Database (NVD) : CVE-2014-7266
Revision History

  • [2015/01/30]
      Web page was published