JVNDB-2023-000077

Fujitsu Software Infrastructure Manager (ISM) stores sensitive information in cleartext

Fujitsu Software Infrastructure Manager (ISM) V2.8.0.060, provided by Fujitsu Limited, stores the password for the proxy server in cleartext form to the product's maintenance data (ismsnap) (CWE-312) under the following conditions.

• Using a proxy server that requires authentication in the connection from ISM to internet
• The user ID and/or the password for the proxy server contain "\" (backslash) character
• The product's firmware download function is enabled (*)


* This is a function for the Europe Region and is disabled by default

Fujitsu Limited reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Fujitsu Limited coordinated under the Information Security Early Warning Partnership.

FUJITSU

• FUJITSU Software Infrastructure Manager Advanced Edition V2.8.0.060
• FUJITSU Software Infrastructure Manager Advanced Edition for PRIMEFLEX V2.8.0.060
• FUJITSU Software Infrastructure Manager Essential Edition V2.8.0.060

The password for the proxy server that is configured in ISM may be retrieved from the maintenance data.

[Apply the Patch]
Apply the patch according to the information provided by the developer.
The developer has released V2.8.0.061 to fix this vulnerability.

[Apply the Workarounds]
Applying the following workarounds may mitigate the impact of this vulnerability.

• Use a user ID and/or a password for the proxy server not including "\" (backslash) character, when downloading firmware
• Store the maintenance data in a trusted location, and delete when unnecessary

FUJITSU

• FUJITSU : Product Security

1. No Mapping(CWE-Other) [IPA Evaluation]

1. CVE-2023-39379

1. JVN : JVN#38847224
2. National Vulnerability Database (NVD) : CVE-2023-39379

• [2023/08/04]
    Web page was published
• [2024/04/03]
    References : Content was added