JVNDB-2022-000027

Hammock AssetView missing authentication for critical functions

AssetView provided by Hammock Corporation misses authentication for some critical functions (CWE-306) on the managing server.

Denis Faiustov, Ruslan Sayfiev of GMO Cyber Security by IERAE reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Hammock Corporation

• AssetView prior to Ver.13.2.0

According to the developer, AssetView CLOUD is not affected by this vulnerability.

With some knowledge on the system configuration, a remote attacker may upload a crafted configuration file to the managing server, which results in the managed clients to execute arbitrary code with the administrative privilege.

[Apply the Patch]
Apply the patch according to the information provided by the developer.
The developer has released a patch listed below that contains a fix for this vulnerability.

• AssetView Server Communication module Hotfix

According to the developer, patch for the versions prior to Ver.11.0.0 will not be released as the versions are no longer supported.
Therefore, update to Ver.11.0.0 or later, and then apply the patch.

For more information, refer to the information provided by the developer(Text in Japanese).

Hammock Corporation

• HAMMOCK : JVN#54857505 : AssetView Server Communication Module of Vulnerability (Text in Japanese)
• HAMMOCK : AssetView Server Communication Module Hotfix (JVN#54857505) (Text in Japanese, login required)

1. Improper Authentication(CWE-287) [IPA Evaluation]

1. CVE-2022-28719

1. JVN : JVN#54857505

• [2022/04/22]
    Web page was published