[Japanese]

JVNDB-2017-000076

Multiple JustSystems products including Hanako may insecurely load Dynamic Link Libraries

Overview

Hanako and multiple software suites containing Hanako provided by JustSystems Corporation contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries.

Eiji James Yoshida of Security Professionals Network Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


JustSystems Corporation
  • JUST Government 3
  • JUST Office 3 [Standard]
  • JUST Office 3 [Eco Print Package]
  • JUST Office 3 & Tri-De DataProtect Package
  • JUST Police 3
  • Just Jump Class 2
  • Just School 6 Premium
  • Just Frontier 3
  • Hanako 2017
  • Hanako 2016
  • Hanako 2015
  • Hanako 2017 trial version
  • Hanako Police 5
  • Hanako Pro 3

For details, refer to the information provided by the developer.
Impact

Arbitrary code may be executed with the privileges of the user running the application.
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.
Vendor Information

JustSystems Corporation
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2017-2154
References

  1. JVN : JVN#54268888
  2. National Vulnerability Database (NVD) : CVE-2017-2154
Revision History

  • [2017/04/20]
      Web page was published
    [2017/06/01]
      References : Content was added

Date Public2017/04/20
Date First Published2017/04/20
Date Last Updated2017/06/01