[Japanese]

JVNDB-2017-010584

AssetView and AssetView PLATINUM contain multiple vulnerabilities

Overview

AssetView and AssetView PLATINUM provided by Hammock Corporation contain 2 vulnerabilities listed below.

* Use of Hard-coded Cryptographic Key (CWE-321) - CVE-2017-10866
* Improper Input Validation (CWE-20) - CVE-2017-10867

Muneaki Nishimura of of Recruit Technologies Co.,Ltd. RED TEAM reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Local
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
The above CVSS base scores have been assigned for CVE-2017-10866.

CVSS V3 Severity:
Base Metrics: 7.8 (High) [IPA Score]
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics: 6.0 (Medium) [IPA Score]
  • Access Vector: Local
  • Access Complexity: High
  • Authentication: Single
  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
The above CVSS base scores have been assigned for CVE-2017-10867.
Affected Products


Hammock Corporation
  • AssetView Ver.7.0.0 to Ver. 9.2.3
  • AssetView PLATINUM Ver. 1.1.0 to 6.2.2

For details, refer to the information provided by the developer.
Impact

A user who knows the cryptographic key used in the system can conduct followings:

* Perform an arbitrary operation to an arbitrary client terminal when Remote Control function is enabled - CVE-2017-10866

* Alter information that is temporarily saved on a client terminal before being sent to the server, and then execute an arbitray SQL query to the server of AssetView or the server of AssetView PLATINUM - CVE-2017-10867
Solution

[Update the Software]
Update the software to the latest version according to the information provided by the developer.

[Apply the Patch]
Apply the security patch "AssetView Encryption Module Hotfix" in the case updating the software is not an option.

For more information, refer to the information provided by the developer.
Vendor Information

Hammock Corporation
CWE (What is CWE?)

  1. Improper Input Validation(CWE-20) [IPA Evaluation]
  2. Use of Hard-coded Cryptographic Key(CWE-321) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2017-10866
  2. CVE-2017-10867
References

  1. JVN : JVNVU#91625548
Revision History

  • [2018/01/12]
      Web page was published

Date Public2017/10/16
Date First Published2018/01/12
Date Last Updated2018/01/12