JVNDB-2023-000052

[Japanese]
JVNDB-2023-000052
DataSpider Servista uses a hard-coded cryptographic key
Overview
DataSpider Servista provided by SAISON INFORMATION SYSTEMS CO.,LTD. is a data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servista. The cryptographic key is embedded in ScriptRunner and ScriptRunner for Amazon SQS, which is common to all users (CWE-321). Sato Nobuhiro of Suzuki Motor Corporation and You Okuma of LAC Co., Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)
CVSS V3 Severity: Base Metrics 5.3 (Medium) [IPA Score] Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality Impact: Low Integrity Impact: None Availability Impact: None CVSS V2 Severity: Base Metrics 5.0 (Medium) [IPA Score] Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
Affected Products

SAISON INFORMATION SYSTEMS CO.,LTD. DataSpider Servista version 4.4 and earlier
The developer states that some of DataSpider Servista's OEM products are affected by this vulnerability. For information on the affected products and the versions, refer to the vendors' advisories from "Vendor Status" of this JVN advisory.
Impact
An attacker, who can gain access to a target DataSpider Servista instance and obtain a Launch Settings file of ScriptRunner and/or ScriptRunner for Amazon SQS, may perform operations using the user privilege encrypted in the file.
Solution
[Apply the patch and follow the additional procedure] Apply the patch module and follow the necessary procedure to reconfigure Launch settings file. For more information, refer to documentation provided by the developer.
Vendor Information
WingArc1st Inc. WingArc1st Inc. : Dr.Sum Connect 5.1 (in Japanese, login required) WingArc1st Inc. : Dr.Sum Connect 5.6 (in Japanese, login required) WingArc1st Inc. : Dr.Sum Connect 5.6.44 (in Japanese, login required) SAISON INFORMATION SYSTEMS CO.,LTD. SAISON INFORMATION SYSTEMS : Regarding the vulnerability in ScriptRunner and ScriptRunner for Amazon SQS in DataSpider Servista SAISON INFORMATION SYSTEMS : Regarding the HULFT8 Script Options ScriptRunner containing a vulnerability JustSystems Corporation JustSystems Corporation : Regarding the vulnerability in ScriptRunner in Actionista! ETL option (in Japanese) TerraSky Co., Ltd. TerraSky Co., Ltd. : Regarding the vulnerability in ScriptRunner and ScriptRunner for Amazon SQS in DCSpide (in Japanese)
CWE (What is CWE?)
No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)
CVE-2023-28937
References
JVN : JVN#38222042 National Vulnerability Database (NVD) : CVE-2023-28937
Revision History
[2023/05/31] Web page was published [2023/06/13] Affected Products : Content was added Vendor Information : Contents were added [2024/03/18] References : Content was added


Date Public	2023/05/31
Date First Published	2023/05/31
Date Last Updated	2024/03/19

DataSpider Servista uses a hard-coded cryptographic key