Skip to main content

Hitachi

Hitachi Incident Response Team

Hitachi Incident Response Team

Acknowledgments :

Last Update: November 13, 2019

HIRT thanks the following for working with us to help vulnerability handling and incident response:




November 08, 2019

Thanks to Matt Byrne (Perspective Risk) for reporting this vulnerability.

Title Hitachi Command Suite - Denial of Service
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE CVE-2019-17360
CWE CWE-400: Uncontrolled Resource Consumption
Timeline July 30, 2019: HIRT receives about this vulnerability.
July 30, 2019: HIRT asks for technical description about the vulnerability.
July 30, 2019: HIRT receives technical details.
October 07, 2019: HIRT notifies a fix of this vulnerability.
November 08, 2019: Hitachi publishes an advisory and announces a patch.
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2019-125/
November 08, 2019: Acknowledgment publicly disclosed.

November 08, 2019

Thanks to Matt Byrne (Perspective Risk) for reporting this vulnerability.

Title Hitachi Command Suite - Information Exposure
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE CVE-2018-21026
CWE CWE-200: Information Exposure
Timeline July 30, 2019: HIRT receives about this vulnerability.
July 30, 2019: HIRT asks for technical description about the vulnerability.
July 30, 2019: HIRT receives technical details.
October 07, 2019: HIRT notifies a fix of this vulnerability.
November 08, 2019: Hitachi publishes an advisory and announces a patch.
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2019-124/
November 08, 2019: Acknowledgment publicly disclosed.

November 08, 2019

Thanks to Piotr Madej (ING Tech Poland) for reporting this vulnerability.

Title Hitachi Command Suite - Information Exposure
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE CVE-2018-21026
CWE CWE-200: Information Exposure
Timeline March 29, 2018: HIRT receives about this vulnerability.
March 30, 2018: HIRT asks for technical description about the vulnerability.
April 03, 2018: HIRT receives technical details.
November 08, 2019: HIRT notifies a fix of this vulnerability.
November 08, 2019: Hitachi publishes an advisory and announces a patch.
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2019-124/
November 08, 2019: Acknowledgment publicly disclosed.

October 21, 2019

Thanks to Pankaj Kumar Thakur (Nepal) for reporting this misconfiguration vulnerability.

Title HTTP Host Header Injection on Web application
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
CWE CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Ref. OWASP: Unvalidated Redirects and Forwards Cheat Sheet
Ref. OWASP: Unvalidated Redirects and Forwards Cheat Sheet
Timeline September 12, 2019: HIRT receives about this vulnerability.
October 20, 2019: HIRT notifies a fix of this vulnerability.
October 21, 2019: Acknowledgment publicly disclosed.

May 20, 2019

Thanks to serge lacroute for reporting this vulnerability.

Title Cross-site Scripting on Web application
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Ref. OWASP: Cross-site Scripting (XSS)
Ref. OBB-784016
Timeline March 30, 2019: HIRT receives about this vulnerability.
May 18, 2019: HIRT notifies a fix of this vulnerability.
May 20, 2019: Acknowledgment publicly disclosed.

November 20, 2018

Thanks to Jan Krissler and Julian Albrecht (Berlin University of Technology) for offering a technical report.

Title Technical report of finger vein device
Timeline October 04, 2018: HIRT receives a technical report of finger vein device.
November 12, 2018: Hitachi has a technical meeting with them in Tokyo.
November 13, 2018: HIRT catches up their presentation "Hacking Vein Recognition Systems" of PacSec 2018.
November 14, 2018: Hitachi has a technical meeting with them in Tokyo.
November 20, 2018: Acknowledgment publicly disclosed.
December 27, 2018: HIRT catches up their presentation "Venenerkennung Hacken" of 35th Chaos Communication Congress.

August 08, 2018

Thanks to Piotr Madej (ING Tech Poland) for reporting this vulnerability.

Title Hitachi Command Suite 8 - Information Exposure
CVSS CVSS:2.0 AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE CVE-2018-14735
CWE CWE-264: Permissions, Privileges, and Access Controls
Timeline March 29, 2018: HIRT receives about this vulnerability.
March 30, 2018: HIRT asks for technical description about the vulnerability.
April 03, 2018: HIRT receives technical details.
August 05, 2018: HIRT notifies a fix of this vulnerability.
August 08, 2018: Hitachi publishes an advisory and announces a patch.
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-123/
August 08, 2018: Acknowledgment publicly disclosed.

May 02, 2018

Thanks to Wai Yan Aung for reporting this vulnerability.

Title Reflected Cross-site Scripting on Web application
CVSS CVSS:2.0 AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Ref. OWASP: Cross-site Scripting (XSS)
Timeline March 10, 2018: HIRT receives about this vulnerability.
May 02, 2018: HIRT notifies a fix of this vulnerability.
May 02, 2018: Acknowledgment publicly disclosed.

May 02, 2018

Thanks to Craig Young, Lamar Bailey and Tyler Reguly (Tripwire VERT) for reporting this vulnerability.

Title ROBOT (Return of Bleichenbacher's Oracle Threat) SSL Denial of Service vulnerability in Hitachi Unified Storage 100 series
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE Ref. The ROBOT Attack
Ref. VERT Threat Alert: Return of Bleichenbacher's Oracle Threat (ROBOT)
Timeline November 28, 2017: Hitachi receives report of "unexpected SSL traffic stop".
December 01, 2017: HIRT receives about this vulnerability from Tripwire VERT.
December 01, 2017: HIRT asks for technical description about the vulnerability.
December 10, 2017: HIRT receives technical details.
January 09, 2018: Hitachi releases a patch.
February 22, 2018: Hitachi publishes an advisory.
http://www.hitachi.co.jp/products/it/storage-solutions/global/sec_info/2018_1/2018_304.html
May 02, 2018: HIRT notifies a status of this vulnerability.
May 02, 2018: Acknowledgment publicly disclosed.

October 20, 2017

Thanks to Suyog Palav for reporting this vulnerability.

Title Email Flooding issue on Web newsletter sign up application.
CVSS CVSS:2.0 AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE CWE-399: Resource Management Errors
Timeline July 05, 2017: HIRT receives about this vulnerability.
October 19, 2017: HIRT notifies a fix of this vulnerability.
October 20, 2017: Acknowledgment publicly disclosed.

August 24, 2017

Thanks to Ketankumar Godhani for reporting this vulnerability.

Title Clickjacking issue on Web login application.
CVSS CVSS:2.0 AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
CWE Ref. OWASP Clickjacking
Timeline June 20, 2017: HIRT receives about this vulnerability.
August 22, 2017: HIRT notifies a fix of this vulnerability.
August 24, 2017: Acknowledgment publicly disclosed.

May 29, 2017

Thanks to Piotr Domirski and Marcin Woloszyn (ING Services Polska) for reporting this vulnerability.

Title Hitachi Command Suite 8 - Remote Execution of Internal Commands via RMI w/o Authentication
CVE CVE-2017-9294
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE CWE-285: Improper Authorization (2.9)
CWE-306: Missing Authentication for Critical Function (2.9)
Timeline January 05, 2017: HIRT receives about this vulnerability.
January 05, 2017: HIRT asks for technical description about the vulnerability.
January 06, 2017: HIRT receives technical details.
February 28, 2017: HIRT notifies a fix schedule of this vulnerability.
April 24, 2017: HIRT notifies a fix schedule change of this vulnerability.
May 26, 2017: HIRT notifies a fix of this vulnerability.
May 29, 2017: HIRT send CVE ID request.
May 29, 2017: Hitachi publishes an advisory and announces a patch.
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-114/
May 29, 2017: Acknowledgment publicly disclosed.
May 30, 2017: CVE ID is assigned to this vulnerability.

May 29, 2017

Thanks to Piotr Domirski (ING Services Polska) for reporting this vulnerability.

Title Hitachi Command Suite 8 - External XML Entity
CVE CVE-2017-9295
CVSS CVSS:2.0 AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CWE CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
Ref. OWASP: XML External Entity (XXE) Processing
Ref. NIICosulting: Server side request forgery
Timeline January 05, 2017: HIRT receives about this vulnerability.
January 05, 2017: HIRT asks for technical description about the vulnerability.
January 06, 2017: HIRT receives technical details.
February 28, 2017: HIRT notifies a fix schedule of this vulnerability.
April 24, 2017: HIRT notifies a fix schedule change of this vulnerability.
May 26, 2017: HIRT notifies a fix of this vulnerability.
May 29, 2017: HIRT send CVE ID request.
May 29, 2017: Hitachi publishes an advisory and announces a patch.
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-114/
May 29, 2017: Acknowledgment publicly disclosed.
May 30, 2017: CVE ID is assigned to this vulnerability.

May 29, 2017

Thanks to Pawel Bartunek (ING Services Polska) for reporting this vulnerability.

Title Hitachi Command Suite 8 Replication Manager - XML External Entity
CVE CVE-2017-9295
CVSS CVSS:2.0 AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CWE CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
Ref. OWASP: XML External Entity (XXE) Processing
Ref. NIICosulting: Server side request forgery
Timeline January 05, 2017: HIRT receives about this vulnerability.
January 05, 2017: HIRT asks for technical description about the vulnerability.
January 06, 2017: HIRT receives technical details.
February 28, 2017: HIRT notifies a fix schedule of this vulnerability.
April 24, 2017: HIRT notifies a fix schedule change of this vulnerability.
May 26, 2017: HIRT notifies a fix of this vulnerability.
May 29, 2017: HIRT send CVE ID request.
May 29, 2017: Hitachi publishes an advisory and announces a patch.
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-114/
May 29, 2017: Acknowledgment publicly disclosed.
May 30, 2017: CVE ID is assigned to this vulnerability.

May 29, 2017

Thanks to Pawel Bartunek (ING Services Polska) for reporting this vulnerability.

Title Hitachi Command Suite 8 Device Manager, Replication Manager - Reflected Cross-Site Scripting
CVE CVE-2017-9298
CVSS CVSS:2.0 AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Timeline January 05, 2017: HIRT receives about this vulnerability.
January 05, 2017: HIRT asks for technical description about the vulnerability.
January 06, 2017: HIRT receives technical details.
February 28, 2017: HIRT notifies a fix schedule of this vulnerability.
April 24, 2017: HIRT notifies a fix schedule change of this vulnerability.
May 26, 2017: HIRT notifies a fix of this vulnerability.
May 29, 2017: HIRT send CVE ID request.
May 29, 2017: Hitachi publishes an advisory and announces a patch.
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-114/
May 29, 2017: Acknowledgment publicly disclosed.
May 30, 2017: CVE ID is assigned to this vulnerability.

May 29, 2017

Thanks to Pawel Bartunek (ING Services Polska) for reporting this vulnerability.

Title Hitachi Command Suite 8 - Open Redirect
CVE CVE-2017-9296
CVSS CVSS:2.0 AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
CWE CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Ref. OWASP: Unvalidated Redirects and Forwards Cheat Sheet
Timeline January 05, 2017: HIRT receives about this vulnerability.
January 05, 2017: HIRT asks for technical description about the vulnerability.
January 06, 2017: HIRT receives technical details.
February 28, 2017: HIRT notifies a fix schedule of this vulnerability.
April 24, 2017: HIRT notifies a fix schedule change of this vulnerability.
May 26, 2017: HIRT notifies a fix of this vulnerability.
May 29, 2017: HIRT send CVE ID request.
May 29, 2017: Hitachi publishes an advisory and announces a patch.
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-114/
May 29, 2017: Acknowledgment publicly disclosed.
May 30, 2017: CVE ID is assigned to this vulnerability.

May 29, 2017

Thanks to Pawel Gocyla (ING Services Polska) for reporting this vulnerability.

Title Hitachi Command Suite 8 Device Manager - Sensitive Data Disclosed Via Open Redirection Vulnerability
CVE CVE-2017-9297
CVSS CVSS:2.0 AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
CWE CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Ref. OWASP: Unvalidated Redirects and Forwards Cheat Sheet
Timeline January 16, 2017: HIRT receives about this vulnerability.
February 28, 2017: HIRT notifies a fix schedule of this vulnerability.
April 24, 2017: HIRT notifies a fix schedule change of this vulnerability.
May 26, 2017: HIRT notifies a fix of this vulnerability.
May 29, 2017: HIRT send CVE ID request.
May 29, 2017: Hitachi publishes an advisory and announces a patch.
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-114/
May 29, 2017: Acknowledgment publicly disclosed.
May 30, 2017: CVE ID is assigned to this vulnerability.

October 14, 2016

Thanks to Aidan Barrington for reporting this vulnerability.

Title FTP server has writable folders and files for firmware update.
CVSS CVSS:2.0 AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE CWE-276: Incorrect Default Permissions
Timeline April 25, 2016: HIRT receives about this vulnerability.
April 26, 2016: HIRT asks for technical description about the vulnerability.
May 06, 2016: HIRT receives technical details.
June 08, 2016: HIRT notifies a fix of this vulnerability.
October 09, 2016: HIRT completed additional investigation of FTP server and related products.
October 11, 2016: HIRT notifies.
October 14, 2016: Acknowledgment publicly disclosed.

August 22, 2016

Thanks to tah0zoo (Independent Security Researcher) for reporting this vulnerability.

Title Cross-site Scripting on Web application
CVSS CVSS:2.0 AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Ref. OWASP: Cross-site Scripting (XSS)
Timeline January 08, 2016: HIRT receives about this vulnerability.
August 18, 2016: HIRT notifies a fix of this vulnerability.
August 22, 2016: Acknowledgment publicly disclosed.

August 22, 2016

Thanks to Anand Tendolkar for reporting this vulnerability.

Title Information Exposure Through Directory Listing on Web site.
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE CWE-548: Information Exposure Through Directory Listing
Ref. OWASP: Top 10 2013-A5-Security Misconfiguration
Ref. OWASP: Top 10 2013-A6-Sensitive Data Exposure
Timeline June 03, 2016: HIRT receives about this vulnerability.
August 18, 2016: HIRT notifies a fix of this vulnerability.
August 22, 2016: Acknowledgment publicly disclosed.

March 31, 2016

Thanks to James Schwinabart (Qualcomm's Information Security and Risk Management team) for reporting this vulnerability.

Title Apache Commons Collections Java library insecurely deserializes data
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE CWE-502: Deserialization of Untrusted Data
Timeline November 13, 2015: Vulnerability Note VU#576313 published.
March 23, 2016: HIRT receives about this vulnerability.
March 28, 2016: Hitachi publishes an advisory and announces a patch.
http://www.hitachi.co.jp/products/it/storage-solutions/global/sec_info/2016/0328_acc.html
March 29, 2016: HIRT notifies a fix of this vulnerability.
March 31, 2016: Acknowledgment publicly disclosed.

November 04, 2015

Thanks to BALAJI P R (Independent Security Researcher) for reporting this vulnerability.

Title Cross-site Scripting on Web portal application.
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:P/A:N
CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Ref. OWASP: Cross-site Scripting (XSS)
Timeline February 21, 2015: HIRT receives about this vulnerability.
October 30, 2015: HIRT notifies a fix of this vulnerability.
November 04, 2015: Acknowledgment publicly disclosed.

November 04, 2015

Thanks to BALAJI P R (Independent Security Researcher) for reporting this vulnerability.

Title Cross-site Scripting on Web search application.
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:P/A:N
CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Ref. OWASP: Cross-site Scripting (XSS)
Timeline February 21, 2015: HIRT receives about this vulnerability.
October 30, 2015: HIRT notifies a fix of this vulnerability.
November 04, 2015: Acknowledgment publicly disclosed.

July 29, 2013

Thanks to Taizo Tsukamoto (of GLOBAL SECURITY EXPERTS Inc.) for reporting this vulnerability. HIRT promoted to fix this vulnerability in line with "Information Security Early Warning Partnership Guidelines".

Title Privilege escalation vulnerabilities in JP1/IT Desktop Management - Manager and Hitachi IT Operations Director
CVE CVE-2013-4697
CVSS CVSS:2.0 AV:N/AC:M/Au:S/C:N/I:P/A:N
CWE CWE-264: Permissions, Privileges, and Access Controls
Timeline May 22, 2013: HIRT receives about this vulnerability from "Information Security Early Warning Partnership".
May 23, 2013: HIRT receives technical details.
May 23, 2013: HIRT confirms the existence of the flaw.
July 26, 2013: Hitachi publishes an advisory and announces a patch.
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-017/
July 29, 2013: JVN publishes a vulnerability note. http://jvn.jp/en/jp/JVN00065218/
July 29, 2013: Acknowledgment publicly disclosed.

April 24, 2012

Thanks to Muhammad Haroon for reporting this vulnerability.

Title Local File Download from Web application.
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:C/I:N/A:N
CWE CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Timeline March 14, 2012: Hitachi receives about this vulnerability.
March 16, 2012: HIRT receives about this vulnerability.
March 17, 2012: HIRT asks for technical description about the flaw.
March 17, 2012: HIRT receives technical details.
April 21, 2012: HIRT notifies a fix of this vulnerability.
April 24, 2012: Acknowledgment publicly disclosed.