JVN#38847224: Fujitsu Software Infrastructure Manager (ISM) stores sensitive information in cleartext

Fujitsu Software Infrastructure Manager (ISM) V2.8.0.060, provided by Fujitsu Limited, stores the password for the proxy server in cleartext form to the product’s maintenance data (ismsnap) (CWE-312) under the following conditions.

Using a proxy server that requires authentication in the connection from ISM to internet The user ID and/or the password for the proxy server contain "" (backslash) character The product’s firmware download function is enabled (*)

• This is a function for the Europe Region and is disabled by default

Impact

The password for the proxy server that is configured in ISM may be retrieved from the maintenance data.

Solution

Apply the Patch
Apply the patch according to the information provided by the developer.
The developer has released V2.8.0.061 to fix this vulnerability.

Apply the Workarounds
Applying the following workarounds may mitigate the impact of this vulnerability.

• Use a user ID and/or a password for the proxy server not including "" (backslash) character, when downloading firmware
• Store the maintenance data in a trusted location, and delete when unnecessary

Products Affected

• Fujitsu Software Infrastructure Manager Advanced Edition V2.8.0.060
• Fujitsu Software Infrastructure Manager Advanced Edition for PRIMEFLEX V2.8.0.060
• Fujitsu Software Infrastructure Manager Essential Edition V2.8.0.060