Japan Vulnerability NotesJVN:21298724JVN#21298724: Hitachi Virtual File Platform vulnerable to OS command injection
9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.007 Low
EPSS
Percentile
80.8%
Hitachi Virtual File Platform provided by Hitachi contains an OS command injection vulnerability (CWE-78) due to a flaw in processing parameters of the HTTP requests.
Impact
A remote attacker who can log in to the product may execute an arbitrary OS command with root privilege.
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
Products Affected
- Hitachi Virtual File Platform
- Versions prior to 5.5.3-09
- Versions prior to 6.4.3-09
In addition, the following product that uses Hitachi Virtual File Platform is also affected by this issue. For the details, refer to the information under the section [Vendor Status].
- NEC Storage M Series NAS Gateway
- Nh4a/Nh8a versions prior to FOS 5.5.3-08(NEC2.5.4a)
- Nh4b/Nh8b, Nh4c/Nh8c versions prior to FOS 6.4.3-08(NEC3.4.2)
Related
9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.007 Low
EPSS
Percentile
80.8%