JVN#06446084: CLUSTERPRO X and EXPRESSCLUSTER X vulnerable to XML external entity injection (XXE)

CLUSTERPRO X and EXPRESSCLUSTER X provided by NEC Corporation contain an XML external entity injection (XXE) vulnerability (CWE-611).

Impact

By reading a specially crafted XML files, an arbitrary file on the server may be read by the attacker.

Solution

Update the Software
The following updates are available. Update the software to the appropriate versions according to the information provided by the developer.

• CLUSTERPRO X 4.1/X 4.2 for Windows update module (CPRO-XWA40-08)

• EXPRESSCLUSTER X 4.1/X 4.2 for Windows update module (CPRO-XWA40-08E)
  Apply a Workaround
  Applying the following workarounds may mitigate the impacts of this vulnerability.

• Enable access restriction by IP address

• Enable access restriction by password

• Enable connection by HTTPS

Products Affected

• CLUSTERPRO X 4.2 for Windows and earlier
• EXPRESSCLUSTER X 4.2 for Windows and earlier