Skip to main content

Hitachi

Hitachi Incident Response Team

Hitachi Incident Response Team

Acknowledgments :

Last Update: November 11, 2021

HIRT thanks the following for working with us to help vulnerability handling and incident response:




November 01, 2021

Thanks to Alberto Favero (HAWSEC - Security & Services) and Altion Malka for reporting these vulnerabilities.

Title Multiple Vulnerabilities in Pentaho
CVE
CVSS
CWE
CVE-2021-31599: Remote Code Execution through Pentaho Report Bundles
CVSS:2.0 AV:N/AC:L/Au:S/C:C/I:C/A:C [9.0]
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [8.8]
CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
CVE-2021-34684: Unauthenticated SQL Injection
CVSS:2.0 AV:N/AC:L/Au:N/C:C/I:C/A:C [10.0]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8]
CWE-89: SQL Injection
CVE-2021-31601: Insufficient Access Control of Data Source Management Service
CVSS:2.0 AV:N/AC:L/Au:S/C:C/I:P/A:N [7.5]
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N [7.1]
CWE-319: Cleartext Transmission of Sensitive Information
CVE-2021-31602: Authentication Bypass of Spring APIs
CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N [5.0]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N [5.3]
CWE-285: Improper Authorization
Jackrabbit User Enumeration
CVE-2021-31600 describes to be an issue in Hitachi Vantara Pentaho Business Analytics Server. This is a feature of products, and not a vulnerability.
CVE-2021-34685: Bypass of Filename Extension Restrictions
CVSS:2.0 AV:N/AC:M/Au:S/C:N/I:P/A:N [3.5]
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N [2.7]
CWE-434: Unrestricted Upload of File with Dangerous Type
Timeline January 31, 2021: HIRT receives about these vulnerabilities.
March 29, 2021: HIRT receives testing tool "Ginger" for Pentaho.
April 07, 2021: HIRT receives two new vulnerabilities.
November 01, 2021: Acknowledgment publicly disclosed.
November 11, 2021: HIRT publishes an advisory.
https://www.hitachi.com/hirt/hitachi-sec/2021/603.html

October 08, 2021

Thanks to Ruslan Sayfiev and Denis Faiustov of (Ierae Security Inc.) for reporting these vulnerabilities.

Title Multiple Vulnerabilities in JP1/IT Desktop Management 2, JP1/NETM/DM, JP1/Remote Control and Hitachi IT Operations Director
CVE
CVSS
CWE
CVE-2021-29644: Remote Code Execution Vulnerability
CVSS:2.0 AV:N/AC:H/Au:N/C:C/I:C/A:C
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-190: Integer Overflow or Wraparound
CVE-2021-29645: Local Privilege Escalation Vulnerability
CVSS:2.0 AV:L/AC:H/Au:S/C:C/I:C/A:C
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-264: Permissions, Privileges, and Access Controls
Timeline February 16, 2021: HIRT receives about this vulnerability from Ierae Security.
February 17, 2021: HIRT asks for technical description about the vulnerability.
February 19, 2021: HIRT receives technical details.
September 30, 2021: HIRT notifies a status of this vulnerability.
October 08, 2021: Hitachi publishes an advisory and announces a fixed.
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2021-133
October 08, 2021: Acknowledgment publicly disclosed.

June 18, 2021

Thanks to Hiroki Matsukuma (of Cyber Defense Institute, Inc) for reporting this vulnerability. HIRT promoted to fix this vulnerability in line with "Information Security Early Warning Partnership Guidelines".

Title Command Injection Vulnerability in Hitachi File Services Manager
CVE CVE-2021-20740
CVSS CVSS:2.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Timeline January 17, 2020: HIRT receives about this vulnerability from "Information Security Early Warning Partnership".
June 18, 2021: Acknowledgment publicly disclosed.

February 05, 2021

Thanks to Yuji Tounai (of Mitsui Bussan Secure Directions, Inc.) for reporting this vulnerability. HIRT promoted to fix this vulnerability in line with "Information Security Early Warning Partnership Guidelines".

Title Cross-site Scripting Vulnerability in Hitachi Application Server Help
CVE CVE-2021-20741
CVSS CVSS:2.0 AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Timeline December 12, 2019: HIRT receives about this vulnerability from "Information Security Early Warning Partnership".
February 05, 2021: Hitachi publishes an advisory and announces a patch.
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2021-104
February 05, 2021: Acknowledgment publicly disclosed.

January 27, 2021

Thanks to Andrej Šimko (CVE-2020-24664, CVE-2020-24670 and CVE-2020-24665), Klára Szvitková (CVE-2020-24669) and Stanislav Dusek (CVE-2020-24666) of (Accenture) for reporting these vulnerabilities.

Title Multiple Vulnerabilities in Pentaho
CVE
CVSS
CWE
CVE-2020-24664: Reflected Cross-Site Scripting
CVSS:2.0 AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-24670: Reflected Cross-Site Scripting
CVSS:2.0 AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-24665: Denial of Service by XML Entity Expansion injection
CVSS:2.0 AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-400: Resource Exhaustion
CVE-2020-24669: DOM Based Cross-Site Scripting
CVSS:2.0 AV:N/AC:M/Au:S/C:P/I:P/A:N
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-24666: Stored Cross Site Scripting
CVSS:2.0 AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Timeline July 13, 2020: HIRT receives about this vulnerability from Accenture.
July 13, 2020: HIRT asks for technical description about the vulnerability.
July 13, 2020: HIRT receives technical details.
December 08, 2020: Hitachi publishes a first edition advisory.
https://support.pentaho.com/hc/en-us/articles/360050965992-hirt-sec-2020-601-Multiple-Vulnerabilities-in-Pentaho
January 27, 2021: HIRT publishes a final edition advisory.
https://www.hitachi.com/hirt/hitachi-sec/2020/601.html
January 27, 2021: HIRT notifies a status of this vulnerability.
January 27, 2021: Acknowledgment publicly disclosed.

January 05, 2021

Thanks to Miguel Santareno for reporting this vulnerability.

Title Information Exposure issue on Web site.
CVSS CVSS:2.0 AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE CWE-200: Information Exposure
Timeline October 13, 2020: HIRT receives about this vulnerability.
October 15, 2020: HIRT asks for technical description about the vulnerability.
October 15, 2020: HIRT receives technical details.
January 04, 2021: HIRT notifies a fix of this vulnerability.
January 05, 2021: Acknowledgment publicly disclosed.

January 05, 2021

Thanks to Shivang Trived for offering a technical report.

Title Technical report for mod_http2 in Apache HTTP Server.
Timeline September 01, 2020: HIRT receives a technical report for mod_http2 in Apache HTTP Server.
January 05, 2021: Acknowledgment publicly disclosed.

August 20, 2020

Thanks to SecurityMate for reporting this vulnerability.

Title Path Traversal (CVE-2020-3452) on Cisco Adaptive Security Appliance
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE CWE-20: Improper Input Validation
Timeline July 31, 2020: HIRT receives about this vulnerability.
July 31, 2020: HIRT asks for technical description about the vulnerability.
July 31, 2020: HIRT receives technical details.
August 17, 2020: HIRT notifies a fix of this vulnerability.
August 20, 2020: Acknowledgment publicly disclosed.

July 28, 2020

Thanks to Dhiraj Mishra for reporting this vulnerability.

Title Insecure Loading of Dynamic Link Libraries in the application installer
CVSS CVSS:2.0 AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE CWE-427: Uncontrolled Search Path Element
Ref.HIRT-PUB17011 : Insecure Loading of Dynamic Link Libraries
HIRT recommend "Run executable files, such as installers and self-extracting documents, in a safe manner."
Timeline April 30, 2020: HIRT receives about this vulnerability.
July 27, 2020: HIRT notifies a fix of this vulnerability.
July 28, 2020: Acknowledgment publicly disclosed.

July 28, 2020

Thanks to Ross Derewianko for reporting this vulnerability.

Title Information Exposure issue on Web site.
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE CWE-200: Information Exposure
Timeline June 02, 2020: HIRT receives about this vulnerability.
July 27, 2020: HIRT notifies a fix of this vulnerability.
July 28, 2020: Acknowledgment publicly disclosed.

June 18, 2020

Thanks to Ravi Ashok Prajapati for reporting this vulnerability.

Title Cross-site Scripting on Web application
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Ref. OWASP: Cross-site Scripting (XSS)
Ref. OBB-1112840
Timeline March 07, 2020: Vulnerability Reported to OpenBugBounty.
June 05, 2020: HIRT follows up about this vulnerability.
June 10, 2020: HIRT confirms a fix of this vulnerability.
June 17, 2020: HIRT notifies a fix of this vulnerability.
June 18, 2020: Acknowledgment publicly disclosed.

June 08, 2020

Thanks to Naresh Chowdary and Venkata Sateesh Netti for reporting this vulnerability.

Title Local File Inclusion issue (CVE 2019-11510) on Pulse Secure VPN.
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE CWE-275: Permission Issues
Timeline February 22, 2020: HIRT receives about this vulnerability.
June 05, 2020: HIRT notifies a fix of this vulnerability.
June 08, 2020: Acknowledgment publicly disclosed.

June 08, 2020

Thanks to Jagdish Bharucha for offering a technical report.

Title Technical report for OTP supported by Web application
Timeline May 06, 2020: HIRT receives a technical report for OTP supported by Web application.
June 08, 2020: Acknowledgment publicly disclosed.

May 27, 2020

Thanks to Jagdish Bharucha for reporting this vulnerability.

Title Information Exposure issue on Web application.
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:C/I:N/A:N
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE CWE-639: Authorization Bypass Through User-Controlled Key
Timeline November 21, 2019: HIRT receives about this vulnerability.
May 04, 2020: HIRT notifies a fix of this vulnerability.
May 27, 2020: Acknowledgment publicly disclosed.

April 14, 2020

Thanks to Hoang Quoc Thinh (OWASP Viet Nam Chapter) for reporting this vulnerability.

Title Remote Code Execution issue (CVE-2020-7961) on Web application.
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE CWE-502: Deserialization of Untrusted Data
Timeline March 29, 2020: HIRT receives about this vulnerability.
April 13, 2020: HIRT notifies a fix of this vulnerability.
April 14, 2020: Acknowledgment publicly disclosed.

December 25, 2019

Thanks to Phatthanaphol Rattanapongporn for reporting this vulnerability.

Title Information Exposure issue on Web application.
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE CWE-264: Permissions, Privileges, and Access Controls
Timeline August 21, 2019: HIRT receives about this vulnerability.
December 25, 2019: HIRT notifies a fix of this vulnerability.
December 25, 2019: Acknowledgment publicly disclosed.

December 20, 2019

Thanks to Piotr Madej (ING Tech Poland) for reporting this vulnerability.

Title Hitachi Command Suite - Information Exposure
CVE CVE-2018-21032
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE CWE-209: Information Exposure Through an Error Message
Timeline March 29, 2018: HIRT receives about this vulnerability.
March 30, 2018: HIRT asks for technical description about the vulnerability.
April 03, 2018: HIRT receives technical details.
December 20, 2019: HIRT notifies a fix of this vulnerability.
December 20, 2019: Hitachi publishes an advisory and announces a patch.
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2019-128
December 20, 2019: Acknowledgment publicly disclosed.

December 20, 2019

Thanks to Piotr Madej (ING Tech Poland) for reporting this vulnerability.

Title Hitachi Command Suite - Information Exposure
CVE CVE-2018-21033
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE CWE-73: External Control of File Name or Path
Timeline March 29, 2018: HIRT receives about this vulnerability.
March 30, 2018: HIRT asks for technical description about the vulnerability.
April 03, 2018: HIRT receives technical details.
December 20, 2019: HIRT notifies a fix of this vulnerability.
December 20, 2019: Hitachi publishes an advisory and announces a patch.
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2019-128
December 20, 2019: Acknowledgment publicly disclosed.

November 08, 2019

Thanks to Matt Byrne (Perspective Risk) for reporting this vulnerability.

Title Hitachi Command Suite - Denial of Service
CVE CVE-2019-17360
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE CWE-400: Uncontrolled Resource Consumption
Timeline July 30, 2019: HIRT receives about this vulnerability.
July 30, 2019: HIRT asks for technical description about the vulnerability.
July 30, 2019: HIRT receives technical details.
October 07, 2019: HIRT notifies a fix of this vulnerability.
November 08, 2019: Hitachi publishes an advisory and announces a patch.
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2019-125
November 08, 2019: Acknowledgment publicly disclosed.

November 08, 2019

Thanks to Matt Byrne (Perspective Risk) for reporting this vulnerability.

Title Hitachi Command Suite - Information Exposure
CVE CVE-2018-21026
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE CWE-200: Information Exposure
Timeline July 30, 2019: HIRT receives about this vulnerability.
July 30, 2019: HIRT asks for technical description about the vulnerability.
July 30, 2019: HIRT receives technical details.
October 07, 2019: HIRT notifies a fix of this vulnerability.
November 08, 2019: Hitachi publishes an advisory and announces a patch.
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2019-124
November 08, 2019: Acknowledgment publicly disclosed.

November 08, 2019

Thanks to Piotr Madej (ING Tech Poland) for reporting this vulnerability.

Title Hitachi Command Suite - Information Exposure
CVE CVE-2018-21026
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE CWE-200: Information Exposure
Timeline March 29, 2018: HIRT receives about this vulnerability.
March 30, 2018: HIRT asks for technical description about the vulnerability.
April 03, 2018: HIRT receives technical details.
November 08, 2019: HIRT notifies a fix of this vulnerability.
November 08, 2019: Hitachi publishes an advisory and announces a patch.
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2019-124
November 08, 2019: Acknowledgment publicly disclosed.

October 21, 2019

Thanks to Pankaj Kumar Thakur (Nepal) for reporting this misconfiguration vulnerability.

Title HTTP Host Header Injection on Web application
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
CWE CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Ref. OWASP: Unvalidated Redirects and Forwards Cheat Sheet
Ref. OWASP: Unvalidated Redirects and Forwards Cheat Sheet
Timeline September 12, 2019: HIRT receives about this vulnerability.
October 20, 2019: HIRT notifies a fix of this vulnerability.
October 21, 2019: Acknowledgment publicly disclosed.

May 20, 2019

Thanks to serge lacroute for reporting this vulnerability.

Title Cross-site Scripting on Web application
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Ref. OWASP: Cross-site Scripting (XSS)
Ref. OBB-784016
Timeline March 30, 2019: HIRT receives about this vulnerability.
May 18, 2019: HIRT notifies a fix of this vulnerability.
May 20, 2019: Acknowledgment publicly disclosed.

November 20, 2018

Thanks to Jan Krissler and Julian Albrecht (Berlin University of Technology) for offering a technical report.

Title Technical report of finger vein device
Timeline October 04, 2018: HIRT receives a technical report of finger vein device.
November 12, 2018: Hitachi has a technical meeting with them in Tokyo.
November 13, 2018: HIRT catches up their presentation "Hacking Vein Recognition Systems" of PacSec 2018.
November 14, 2018: Hitachi has a technical meeting with them in Tokyo.
November 20, 2018: Acknowledgment publicly disclosed.
December 27, 2018: HIRT catches up their presentation "Venenerkennung Hacken" of 35th Chaos Communication Congress.

August 08, 2018

Thanks to Piotr Madej (ING Tech Poland) for reporting this vulnerability.

Title Hitachi Command Suite 8 - Information Exposure
CVE CVE-2018-14735
CVSS CVSS:2.0 AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE CWE-264: Permissions, Privileges, and Access Controls
Timeline March 29, 2018: HIRT receives about this vulnerability.
March 30, 2018: HIRT asks for technical description about the vulnerability.
April 03, 2018: HIRT receives technical details.
August 05, 2018: HIRT notifies a fix of this vulnerability.
August 08, 2018: Hitachi publishes an advisory and announces a patch.
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-123
August 08, 2018: Acknowledgment publicly disclosed.

May 02, 2018

Thanks to Wai Yan Aung for reporting this vulnerability.

Title Reflected Cross-site Scripting on Web application
CVSS CVSS:2.0 AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Ref. OWASP: Cross-site Scripting (XSS)
Timeline March 10, 2018: HIRT receives about this vulnerability.
May 02, 2018: HIRT notifies a fix of this vulnerability.
May 02, 2018: Acknowledgment publicly disclosed.

May 02, 2018

Thanks to Craig Young, Lamar Bailey and Tyler Reguly (Tripwire VERT) for reporting this vulnerability.

Title ROBOT (Return of Bleichenbacher's Oracle Threat) SSL Denial of Service vulnerability in Hitachi Unified Storage 100 series
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE Ref. The ROBOT Attack
Ref. VERT Threat Alert: Return of Bleichenbacher's Oracle Threat (ROBOT)
Timeline November 28, 2017: Hitachi receives report of "unexpected SSL traffic stop".
December 01, 2017: HIRT receives about this vulnerability from Tripwire VERT.
December 01, 2017: HIRT asks for technical description about the vulnerability.
December 10, 2017: HIRT receives technical details.
January 09, 2018: Hitachi releases a patch.
February 22, 2018: Hitachi publishes an advisory.
https://www.hitachi.co.jp/products/it/storage-solutions/global/sec_info/2018_1/2018_304.html
May 02, 2018: HIRT notifies a status of this vulnerability.
May 02, 2018: Acknowledgment publicly disclosed.

October 20, 2017

Thanks to Suyog Palav for reporting this vulnerability.

Title Email Flooding issue on Web newsletter sign up application.
CVSS CVSS:2.0 AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE CWE-399: Resource Management Errors
Timeline July 05, 2017: HIRT receives about this vulnerability.
October 19, 2017: HIRT notifies a fix of this vulnerability.
October 20, 2017: Acknowledgment publicly disclosed.

August 24, 2017

Thanks to Ketankumar Godhani for reporting this vulnerability.

Title Clickjacking issue on Web login application.
CVSS CVSS:2.0 AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
CWE Ref. OWASP Clickjacking
Timeline June 20, 2017: HIRT receives about this vulnerability.
August 22, 2017: HIRT notifies a fix of this vulnerability.
August 24, 2017: Acknowledgment publicly disclosed.

May 29, 2017

Thanks to Piotr Domirski and Marcin Woloszyn (ING Services Polska) for reporting this vulnerability.

Title Hitachi Command Suite 8 - Remote Execution of Internal Commands via RMI w/o Authentication
CVE CVE-2017-9294
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE CWE-285: Improper Authorization (2.9)
CWE-306: Missing Authentication for Critical Function (2.9)
Timeline January 05, 2017: HIRT receives about this vulnerability.
January 05, 2017: HIRT asks for technical description about the vulnerability.
January 06, 2017: HIRT receives technical details.
February 28, 2017: HIRT notifies a fix schedule of this vulnerability.
April 24, 2017: HIRT notifies a fix schedule change of this vulnerability.
May 26, 2017: HIRT notifies a fix of this vulnerability.
May 29, 2017: HIRT send CVE ID request.
May 29, 2017: Hitachi publishes an advisory and announces a patch.
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-114
May 29, 2017: Acknowledgment publicly disclosed.
May 30, 2017: CVE ID is assigned to this vulnerability.

May 29, 2017

Thanks to Piotr Domirski (ING Services Polska) for reporting this vulnerability.

Title Hitachi Command Suite 8 - External XML Entity
CVE CVE-2017-9295
CVSS CVSS:2.0 AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CWE CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
Ref. OWASP: XML External Entity (XXE) Processing
Ref. NIICosulting: Server side request forgery
Timeline January 05, 2017: HIRT receives about this vulnerability.
January 05, 2017: HIRT asks for technical description about the vulnerability.
January 06, 2017: HIRT receives technical details.
February 28, 2017: HIRT notifies a fix schedule of this vulnerability.
April 24, 2017: HIRT notifies a fix schedule change of this vulnerability.
May 26, 2017: HIRT notifies a fix of this vulnerability.
May 29, 2017: HIRT send CVE ID request.
May 29, 2017: Hitachi publishes an advisory and announces a patch.
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-114
May 29, 2017: Acknowledgment publicly disclosed.
May 30, 2017: CVE ID is assigned to this vulnerability.

May 29, 2017

Thanks to Pawel Bartunek (ING Services Polska) for reporting this vulnerability.

Title Hitachi Command Suite 8 Replication Manager - XML External Entity
CVE CVE-2017-9295
CVSS CVSS:2.0 AV:N/AC:L/Au:S/C:P/I:P/A:N
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CWE CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
Ref. OWASP: XML External Entity (XXE) Processing
Ref. NIICosulting: Server side request forgery
Timeline January 05, 2017: HIRT receives about this vulnerability.
January 05, 2017: HIRT asks for technical description about the vulnerability.
January 06, 2017: HIRT receives technical details.
February 28, 2017: HIRT notifies a fix schedule of this vulnerability.
April 24, 2017: HIRT notifies a fix schedule change of this vulnerability.
May 26, 2017: HIRT notifies a fix of this vulnerability.
May 29, 2017: HIRT send CVE ID request.
May 29, 2017: Hitachi publishes an advisory and announces a patch.
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-114
May 29, 2017: Acknowledgment publicly disclosed.
May 30, 2017: CVE ID is assigned to this vulnerability.

May 29, 2017

Thanks to Pawel Bartunek (ING Services Polska) for reporting this vulnerability.

Title Hitachi Command Suite 8 Device Manager, Replication Manager - Reflected Cross-Site Scripting
CVE CVE-2017-9298
CVSS CVSS:2.0 AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Timeline January 05, 2017: HIRT receives about this vulnerability.
January 05, 2017: HIRT asks for technical description about the vulnerability.
January 06, 2017: HIRT receives technical details.
February 28, 2017: HIRT notifies a fix schedule of this vulnerability.
April 24, 2017: HIRT notifies a fix schedule change of this vulnerability.
May 26, 2017: HIRT notifies a fix of this vulnerability.
May 29, 2017: HIRT send CVE ID request.
May 29, 2017: Hitachi publishes an advisory and announces a patch.
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-114
May 29, 2017: Acknowledgment publicly disclosed.
May 30, 2017: CVE ID is assigned to this vulnerability.

May 29, 2017

Thanks to Pawel Bartunek (ING Services Polska) for reporting this vulnerability.

Title Hitachi Command Suite 8 - Open Redirect
CVE CVE-2017-9296
CVSS CVSS:2.0 AV:N/AC:M/Au:S/C:N/I:P/A:N
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
CWE CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Ref. OWASP: Unvalidated Redirects and Forwards Cheat Sheet
Timeline January 05, 2017: HIRT receives about this vulnerability.
January 05, 2017: HIRT asks for technical description about the vulnerability.
January 06, 2017: HIRT receives technical details.
February 28, 2017: HIRT notifies a fix schedule of this vulnerability.
April 24, 2017: HIRT notifies a fix schedule change of this vulnerability.
May 26, 2017: HIRT notifies a fix of this vulnerability.
May 29, 2017: HIRT send CVE ID request.
May 29, 2017: Hitachi publishes an advisory and announces a patch.
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-114
May 29, 2017: Acknowledgment publicly disclosed.
May 30, 2017: CVE ID is assigned to this vulnerability.

May 29, 2017

Thanks to Pawel Gocyla (ING Services Polska) for reporting this vulnerability.

Title Hitachi Command Suite 8 Device Manager - Sensitive Data Disclosed Via Open Redirection Vulnerability
CVE CVE-2017-9297
CVSS CVSS:2.0 AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
CWE CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Ref. OWASP: Unvalidated Redirects and Forwards Cheat Sheet
Timeline January 16, 2017: HIRT receives about this vulnerability.
February 28, 2017: HIRT notifies a fix schedule of this vulnerability.
April 24, 2017: HIRT notifies a fix schedule change of this vulnerability.
May 26, 2017: HIRT notifies a fix of this vulnerability.
May 29, 2017: HIRT send CVE ID request.
May 29, 2017: Hitachi publishes an advisory and announces a patch.
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-114
May 29, 2017: Acknowledgment publicly disclosed.
May 30, 2017: CVE ID is assigned to this vulnerability.

October 14, 2016

Thanks to Aidan Barrington for reporting this vulnerability.

Title FTP server has writable folders and files for firmware update.
CVSS CVSS:2.0 AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE CWE-276: Incorrect Default Permissions
Timeline April 25, 2016: HIRT receives about this vulnerability.
April 26, 2016: HIRT asks for technical description about the vulnerability.
May 06, 2016: HIRT receives technical details.
June 08, 2016: HIRT notifies a fix of this vulnerability.
October 09, 2016: HIRT completed additional investigation of FTP server and related products.
October 11, 2016: HIRT notifies.
October 14, 2016: Acknowledgment publicly disclosed.

August 22, 2016

Thanks to tah0zoo (Independent Security Researcher) for reporting this vulnerability.

Title Cross-site Scripting on Web application
CVSS CVSS:2.0 AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Ref. OWASP: Cross-site Scripting (XSS)
Timeline January 08, 2016: HIRT receives about this vulnerability.
August 18, 2016: HIRT notifies a fix of this vulnerability.
August 22, 2016: Acknowledgment publicly disclosed.

August 22, 2016

Thanks to Anand Tendolkar for reporting this vulnerability.

Title Information Exposure Through Directory Listing on Web site.
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE CWE-548: Information Exposure Through Directory Listing
Ref. OWASP: Top 10 2013-A5-Security Misconfiguration
Ref. OWASP: Top 10 2013-A6-Sensitive Data Exposure
Timeline June 03, 2016: HIRT receives about this vulnerability.
August 18, 2016: HIRT notifies a fix of this vulnerability.
August 22, 2016: Acknowledgment publicly disclosed.

March 31, 2016

Thanks to James Schwinabart (Qualcomm's Information Security and Risk Management team) for reporting this vulnerability.

Title Apache Commons Collections Java library insecurely deserializes data
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE CWE-502: Deserialization of Untrusted Data
Timeline November 13, 2015: Vulnerability Note VU#576313 published.
March 23, 2016: HIRT receives about this vulnerability.
March 28, 2016: Hitachi publishes an advisory and announces a patch.
https://www.hitachi.co.jp/products/it/storage-solutions/global/sec_info/2016/0328_acc.html
March 29, 2016: HIRT notifies a fix of this vulnerability.
March 31, 2016: Acknowledgment publicly disclosed.

November 04, 2015

Thanks to BALAJI P R (Independent Security Researcher) for reporting this vulnerability.

Title Cross-site Scripting on Web portal application.
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:P/A:N
CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Ref. OWASP: Cross-site Scripting (XSS)
Timeline February 21, 2015: HIRT receives about this vulnerability.
October 30, 2015: HIRT notifies a fix of this vulnerability.
November 04, 2015: Acknowledgment publicly disclosed.

November 04, 2015

Thanks to BALAJI P R (Independent Security Researcher) for reporting this vulnerability.

Title Cross-site Scripting on Web search application.
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:P/I:P/A:N
CWE CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Ref. OWASP: Cross-site Scripting (XSS)
Timeline February 21, 2015: HIRT receives about this vulnerability.
October 30, 2015: HIRT notifies a fix of this vulnerability.
November 04, 2015: Acknowledgment publicly disclosed.

July 29, 2013

Thanks to Taizo Tsukamoto (of GLOBAL SECURITY EXPERTS Inc.) for reporting this vulnerability. HIRT promoted to fix this vulnerability in line with "Information Security Early Warning Partnership Guidelines".

Title Privilege escalation vulnerabilities in JP1/IT Desktop Management - Manager and Hitachi IT Operations Director
CVE CVE-2013-4697
CVSS CVSS:2.0 AV:N/AC:M/Au:S/C:N/I:P/A:N
CWE CWE-264: Permissions, Privileges, and Access Controls
Timeline May 22, 2013: HIRT receives about this vulnerability from "Information Security Early Warning Partnership".
May 23, 2013: HIRT receives technical details.
May 23, 2013: HIRT confirms the existence of the flaw.
July 26, 2013: Hitachi publishes an advisory and announces a patch.
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-017
July 29, 2013: JVN publishes a vulnerability note. https://jvn.jp/en/jp/JVN00065218/
July 29, 2013: Acknowledgment publicly disclosed.

April 24, 2012

Thanks to Muhammad Haroon for reporting this vulnerability.

Title Local File Download from Web application.
CVSS CVSS:2.0 AV:N/AC:L/Au:N/C:C/I:N/A:N
CWE CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Timeline March 14, 2012: Hitachi receives about this vulnerability.
March 16, 2012: HIRT receives about this vulnerability.
March 17, 2012: HIRT asks for technical description about the flaw.
March 17, 2012: HIRT receives technical details.
April 21, 2012: HIRT notifies a fix of this vulnerability.
April 24, 2012: Acknowledgment publicly disclosed.