Skip to main content

Hitachi

Hitachi Incident Response Team

Hitachi Incident Response Team

Acknowledgments :

Last Update: September 05, 2017

HIRT thanks the following for working with us to help vulnerability handling and incident response:




August 24, 2017

Thanks to Ketankumar Godhani for reporting this vulnerability.

Title Clickjacking issue on Web login application.
CVSS CVSS:2.0 CVSS:2.0 AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE Ref. OWASP Clickjacking
Timeline June 20, 2017: HIRT receives about this vulnerability.
August 22, 2017: HIRT notifies a fix of this vulnerability.
August 24, 2017: Acknowledgment publicly disclosed.

May 29, 2017

Thanks to Piotr Domirski and Marcin Woloszyn (ING Services Polska) for reporting this vulnerability.

Title Hitachi Command Suite 8 - Remote Execution of Internal Commands via RMI w/o Authentication
CVE CVE-2017-9294
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE CWE-285: Improper Authorization (2.9)
CWE-306: Missing Authentication for Critical Function (2.9)
Timeline January 05, 2017: HIRT receives about this vulnerability.
January 05, 2017: HIRT asks for technical description about the vulnerability.
January 06, 2017: HIRT receives technical details.
February 28, 2017: HIRT notifies a fix schedule of this vulnerability.
April 24, 2017: HIRT notifies a fix schedule change of this vulnerability.
May 26, 2017: HIRT notifies a fix of this vulnerability.
May 29, 2017: HIRT send CVE ID request.
May 29, 2017: Hitachi releases an advisory and announces a patch.
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-114/
May 29, 2017: Acknowledgment publicly disclosed.
May 30, 2017: CVE ID is assigned to this vulnerability.

May 29, 2017

Thanks to Piotr Domirski (ING Services Polska) for reporting this vulnerability.

Title Hitachi Command Suite 8 - External XML Entity
CVE CVE-2017-9295
CVSS CVSS:2.0 AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CWE CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
Ref. OWASP: XML External Entity (XXE) Processing
Ref. NIICosulting: Server side request forgery
Timeline January 05, 2017: HIRT receives about this vulnerability.
January 05, 2017: HIRT asks for technical description about the vulnerability.
January 06, 2017: HIRT receives technical details.
February 28, 2017: HIRT notifies a fix schedule of this vulnerability.
April 24, 2017: HIRT notifies a fix schedule change of this vulnerability.
May 26, 2017: HIRT notifies a fix of this vulnerability.
May 29, 2017: HIRT send CVE ID request.
May 29, 2017: Hitachi releases an advisory and announces a patch.
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-114/
May 29, 2017: Acknowledgment publicly disclosed.
May 30, 2017: CVE ID is assigned to this vulnerability.

May 29, 2017

Thanks to Pawel Bartunek (ING Services Polska) for reporting this vulnerability.

Title Hitachi Command Suite 8 Replication Manager - XML External Entity
CVE CVE-2017-9295
CVSS CVSS:2.0 AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CWE CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
Ref. OWASP: XML External Entity (XXE) Processing
Ref. NIICosulting: Server side request forgery
Timeline January 05, 2017: HIRT receives about this vulnerability.
January 05, 2017: HIRT asks for technical description about the vulnerability.
January 06, 2017: HIRT receives technical details.
February 28, 2017: HIRT notifies a fix schedule of this vulnerability.
April 24, 2017: HIRT notifies a fix schedule change of this vulnerability.
May 26, 2017: HIRT notifies a fix of this vulnerability.
May 29, 2017: HIRT send CVE ID request.
May 29, 2017: Hitachi releases an advisory and announces a patch.
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-114/
May 29, 2017: Acknowledgment publicly disclosed.
May 30, 2017: CVE ID is assigned to this vulnerability.

May 29, 2017

Thanks to Pawel Bartunek (ING Services Polska) for reporting this vulnerability.

Title Hitachi Command Suite 8 Device Manager, Replication Manager - Reflected Cross-Site Scripting
CVE CVE-2017-9298
CVSS CVSS:2.0 AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Timeline January 05, 2017: HIRT receives about this vulnerability.
January 05, 2017: HIRT asks for technical description about the vulnerability.
January 06, 2017: HIRT receives technical details.
February 28, 2017: HIRT notifies a fix schedule of this vulnerability.
April 24, 2017: HIRT notifies a fix schedule change of this vulnerability.
May 26, 2017: HIRT notifies a fix of this vulnerability.
May 29, 2017: HIRT send CVE ID request.
May 29, 2017: Hitachi releases an advisory and announces a patch.
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-114/
May 29, 2017: Acknowledgment publicly disclosed.
May 30, 2017: CVE ID is assigned to this vulnerability.

May 29, 2017

Thanks to Pawel Bartunek (ING Services Polska) for reporting this vulnerability.

Title Hitachi Command Suite 8 - Open Redirect
CVE CVE-2017-9296
CVSS CVSS:2.0 AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
CWE CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Ref. OWASP: Unvalidated Redirects and Forwards Cheat Sheet
Timeline January 05, 2017: HIRT receives about this vulnerability.
January 05, 2017: HIRT asks for technical description about the vulnerability.
January 06, 2017: HIRT receives technical details.
February 28, 2017: HIRT notifies a fix schedule of this vulnerability.
April 24, 2017: HIRT notifies a fix schedule change of this vulnerability.
May 26, 2017: HIRT notifies a fix of this vulnerability.
May 29, 2017: HIRT send CVE ID request.
May 29, 2017: Hitachi releases an advisory and announces a patch.
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-114/
May 29, 2017: Acknowledgment publicly disclosed.
May 30, 2017: CVE ID is assigned to this vulnerability.

May 29, 2017

Thanks to Pawel Gocyla (ING Services Polska) for reporting this vulnerability.

Title Hitachi Command Suite 8 Device Manager - Sensitive Data Disclosed Via Open Redirection Vulnerability
CVE CVE-2017-9297
CVSS CVSS:2.0 AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
CWE CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Ref. OWASP: Unvalidated Redirects and Forwards Cheat Sheet
Timeline January 16, 2017: HIRT receives about this vulnerability.
February 28, 2017: HIRT notifies a fix schedule of this vulnerability.
April 24, 2017: HIRT notifies a fix schedule change of this vulnerability.
May 26, 2017: HIRT notifies a fix of this vulnerability.
May 29, 2017: HIRT send CVE ID request.
May 29, 2017: Hitachi releases an advisory and announces a patch.
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-114/
May 29, 2017: Acknowledgment publicly disclosed.
May 30, 2017: CVE ID is assigned to this vulnerability.

October 14, 2016

Thanks to Aidan Barrington for reporting this vulnerability.

Title FTP server has writable folders and files for firmware update.
CVSS CVSS:2.0 AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE CWE-276: Incorrect Default Permissions
Timeline April 25, 2016: HIRT receives about this vulnerability.
April 26, 2016: HIRT asks for technical description about the vulnerability.
May 06, 2016: HIRT receives technical details.
June 08, 2016: HIRT notifies a fix of this vulnerability.
October 09, 2016: HIRT completed additional investigation of FTP server and related products.
October 11, 2016: HIRT notifies.
October 14, 2016: Acknowledgment publicly disclosed.

August 22, 2016

Thanks to tah0zoo (Independent Security Researcher) for reporting this vulnerability.

Title Cross-site Scripting on Web application
CVSS CVSS:2.0 AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Ref. OWASP: Cross-site Scripting (XSS)
Timeline January 08, 2016: HIRT receives about this vulnerability.
August 18, 2016: HIRT notifies a fix of this vulnerability.
August 22, 2016: Acknowledgment publicly disclosed.

August 22, 2016

Thanks to Anand Tendolkar for reporting this vulnerability.

Title Information Exposure Through Directory Listing on Web site.
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE CWE-548: Information Exposure Through Directory Listing
Ref. OWASP: Top 10 2013-A5-Security Misconfiguration
Ref. OWASP: Top 10 2013-A6-Sensitive Data Exposure
Timeline June 03, 2016: HIRT receives about this vulnerability.
August 18, 2016: HIRT notifies a fix of this vulnerability.
August 22, 2016: Acknowledgment publicly disclosed.

March 31, 2016

Thanks to James Schwinabart (Qualcomm's Information Security and Risk Management team) for reporting this vulnerability.

Title Apache Commons Collections Java library insecurely deserializes data
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE CWE-502: Deserialization of Untrusted Data
Timeline November 13, 2015: Vulnerability Note VU#576313 published.
March 23, 2016: HIRT receives about this vulnerability.
March 28, 2016: Hitachi releases an advisory and announces a patch.
http://www.hitachi.co.jp/products/it/storage-solutions/global/sec_info/2016/0328_acc.html
March 29, 2016: HIRT notifies a fix of this vulnerability.
March 31, 2016: Acknowledgment publicly disclosed.

November 04, 2015

Thanks to BALAJI P R (Independent Security Researcher) for reporting this vulnerability.

Title Cross-site Scripting on Web portal application.
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:P/A:N
CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Ref. OWASP: Cross-site Scripting (XSS)
Timeline February 21, 2015: HIRT receives about this vulnerability.
October 30, 2015: HIRT notifies a fix of this vulnerability.
November 04, 2015: Acknowledgment publicly disclosed.

November 04, 2015

Thanks to BALAJI P R (Independent Security Researcher) for reporting this vulnerability.

Title Cross-site Scripting on Web search application.
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:P/A:N
CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Ref. OWASP: Cross-site Scripting (XSS)
Timeline February 21, 2015: HIRT receives about this vulnerability.
October 30, 2015: HIRT notifies a fix of this vulnerability.
November 04, 2015: Acknowledgment publicly disclosed.

July 29, 2013

Thanks to Taizo Tsukamoto (of GLOBAL SECURITY EXPERTS Inc.) for reporting this vulnerability. HIRT promoted to fix this vulnerability in line with "Information Security Early Warning Partnership Guidelines".

Title Privilege escalation vulnerabilities in JP1/IT Desktop Management - Manager and Hitachi IT Operations Director
CVE CVE-2013-4697
CVSS CVSS:2.0 AV:N/AC:M/Au:S/C:N/I:P/A:N
CWE CWE-264: Permissions, Privileges, and Access Controls
Timeline May 22, 2013: HIRT receives about this vulnerability from "Information Security Early Warning Partnership".
May 23, 2013: HIRT receives technical details.
May 23, 2013: HIRT confirms the existence of the flaw.
July 26, 2013: Hitachi releases an advisory and announces a patch.
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-017/
July 29, 2013: JVN releases a vulnerability note. http://jvn.jp/en/jp/JVN00065218/
July 29, 2013: Acknowledgment publicly disclosed.

April 24, 2012

Thanks to Muhammad Haroon for reporting this vulnerability.

Title Local File Download from Web application.
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:C/I:N/A:N
CWE CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Timeline March 14, 2012: Hitachi receives about this vulnerability.
March 16, 2012: HIRT receives about this vulnerability.
March 17, 2012: HIRT asks for technical description about the flaw.
March 17, 2012: HIRT receives technical details.
April 21, 2012: HIRT notifies a fix of this vulnerability.
April 24, 2012: Acknowledgment publicly disclosed.