[Japanese]

JVNDB-2023-000052

DataSpider Servista uses a hard-coded cryptographic key

Overview

DataSpider Servista provided by SAISON INFORMATION SYSTEMS CO.,LTD. is a data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servista.
The cryptographic key is embedded in ScriptRunner and ScriptRunner for Amazon SQS, which is common to all users (CWE-321).

Sato Nobuhiro of Suzuki Motor Corporation and You Okuma of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


SAISON INFORMATION SYSTEMS CO.,LTD.
  • DataSpider Servista version 4.4 and earlier

The developer states that some of DataSpider Servista's OEM products are affected by this vulnerability. For information on the affected products and the versions, refer to the vendors' advisories from "Vendor Status" of this JVN advisory.
Impact

An attacker, who can gain access to a target DataSpider Servista instance and obtain a Launch Settings file of ScriptRunner and/or ScriptRunner for Amazon SQS, may perform operations using the user privilege encrypted in the file.
Solution

[Apply the patch and follow the additional procedure]
Apply the patch module and follow the necessary procedure to reconfigure Launch settings file.
For more information, refer to documentation provided by the developer.
Vendor Information

WingArc1st Inc. SAISON INFORMATION SYSTEMS CO.,LTD. JustSystems Corporation TerraSky Co., Ltd.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2023-28937
References

  1. JVN : JVN#38222042
  2. National Vulnerability Database (NVD) : CVE-2023-28937
Revision History

  • [2023/05/31]
      Web page was published
  • [2023/06/13]
      Affected Products : Content was added
      Vendor Information : Contents were added
  • [2024/03/18]
      References : Content was added