JVN#54857505: Hammock AssetView missing authentication for critical functions

AssetView provided by Hammock Corporation misses authentication for some critical functions (CWE-306) on the managing server.

Impact

With some knowledge on the system configuration, a remote attacker may upload a crafted configuration file to the managing server, which results in the managed clients to execute arbitrary code with the administrative privilege.

Solution

Apply the Patch
Apply the patch according to the information provided by the developer.
The developer has released a patch listed below that contains a fix for this vulnerability.

• AssetView Server Communication module Hotfix
  According to the developer, patch for the versions prior to Ver.11.0.0 will not be released as the versions are no longer supported.
  Therefore, update to Ver.11.0.0 or later, and then apply the patch.

For more information, refer to the information provided by the developer (Text in Japanese).

Products Affected

• AssetView prior to Ver.13.2.0
  According to the developer, AssetView CLOUD is not affected by this vulnerability.