ESB-2018.0318 - [Win][UNIX/Linux] Hitachi Cosminexus: Multiple vulnerabilities 2018-02-01

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0318
          Multiple vulnerabilities have been found in Cosminexus
                              1 February 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Hitachi Cosminexus
Publisher:         Hitachi
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Modify Arbitrary Files          -- Remote/Unauthenticated      
                   Denial of Service               -- Remote/Unauthenticated      
                   Access Confidential Data        -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-2678 CVE-2018-2677 CVE-2018-2663
                   CVE-2018-2657 CVE-2018-2641 CVE-2018-2637
                   CVE-2018-2634 CVE-2018-2633 CVE-2018-2629
                   CVE-2018-2618 CVE-2018-2603 CVE-2018-2602
                   CVE-2018-2599 CVE-2018-2588 CVE-2018-2582
                   CVE-2018-2579  

Reference:         ASB-2018.0024
                   ESB-2018.0205
                   ESB-2018.0180

Original Bulletin: 
   http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-102/index.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Multiple vulnerabilities have been found in Cosminexus.

Security Information ID
hitachi-sec-2018-102


Vulnerability description

Cosminexus Developer's Kit for Java(TM) and Hitachi Developer's Kit for Java
contain the following vulnerabilities:

CVE-2018-2579, CVE-2018-2582, CVE-2018-2588, CVE-2018-2599, CVE-2018-2602,
CVE-2018-2603, CVE-2018-2618, CVE-2018-2629, CVE-2018-2633, CVE-2018-2634,
CVE-2018-2637, CVE-2018-2641, CVE-2018-2657, CVE-2018-2663, CVE-2018-2677,
CVE-2018-2678

Affected products and versions are listed below. Please upgrade your version to
the appropriate version.

These vulnerabilities exist in Cosminexus Developer's Kit for Java(TM) and
Hitachi Developer's Kit for Java which is a component product of other Hitachi
products.

For details about the fixed version about Cosminexus products, contact your
Hitachi support service representative.


Affected products

The information is organized under the following headings:

- - (Example)
Product name: Gives the name of the affected product.

Version:

Platform
    Gives the affected version.


- - Cosminexus V8, V9
	Product name: uCosminexus Application Server
	Product name: uCosminexus Application Server Enterprise
	Product name: uCosminexus Application Server Standard
	Product name: uCosminexus Application Server Standard-R
	Product name: uCosminexus Application Server(64)
	Product name: uCosminexus Client
	Product name: uCosminexus Developer
	Product name: uCosminexus Developer Professional
	Product name: uCosminexus Developer Standard
	Product name: uCosminexus Service Architect
	Product name: uCosminexus Service Platform
	Product name: uCosminexus Service Platform(64)

	Version(s):

	Windows
	    08-70 to 09-70
	Windows(x64)
	    08-50 to 09-71
	Linux(x64)
	    08-20 to 09-71
	AIX
	    09-00 to 09-70
	HP-UX(IPF)
	    09-00 to 09-50
	Solaris(x64)
	    08-20

- - Hitachi Application Server
	Product name: Hitachi Application Server
	Product name: Hitachi Application Server for Developers

	Version(s):

	Windows
	    10-10
	Windows(x64)
	    10-10 to 10-11
	Linux(x64)
	    10-11

Fixed products

The information is organized under the following headings:
- - (Example)
Product name: Gives the name of the fixed product.

Version:

Platform
    Gives the fixed version, and release date.

Scheduled version:

Platform
    Gives the fixed version scheduled to be released.


    Product name: Cosminexus Developer's Kit for Java(TM)

    Scheduled version(s):
    Product name: Hitachi Developer's Kit for Java

    Scheduled version(s):

For details on the fixed products, contact your Hitachi support service
representative.


Revision history

January 31, 2018
    This page is released.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWnKOXox+lLeg9Ub1AQg+Zw/+McptL0QShXizB8cWdodNu6AuTHETy9gX
dMpXMUaNCgw1Zn/1g60DJLURFeAMLSM4s1K/LS27EBVNL9he8YBAGdojN27uvavM
cp8erkIxM2t6QwEj/wgAQRTpfM5vR+arOlT7su6LhokdiNPhkPlqxOdXNJO1D8Sc
MDDCiJCthJEV87/ulZP+aU2c0kbb00CdhjTnyrmiSmmuR4q/ofHwBKWLrIuaIGFO
O1VVWlJ5X9frDwbbfr1PZMiaK+wsFeP6PnQm5MPV9JY2y9ZYayVBQPCmlNodY01M
qdhh1u1xkOsz72kiXvtNOkrYbg1LYLTNJUVrTihVjdvSdvLxElme1v3wZAMgDIyQ
NBb8B5lRk5aYiZVLDTY2BM8Ov8ISTjUkl3B9H3I4lduvu6v5JCcHyWzqYqoEN/ah
pfa5avHQAcMghHuZ6Nz7Z8ITmtRBWxYF0p3m6x7rrW25BmeK8zT3lWqfKFw47mPt
EACQoUFnW0LiybeO+OyG2OAk609syaHloOC3ch+LPKpVaCRYjz+xmSIv/L8eTXZM
xHCie7JWuv4I8FTza7UtA6HNS+rxwAaWma6gNnX1OnO6pFtWrCXDzbVrIgQMnzQ6
DGkoUlKDVUSFWbQ7eY78YqvNpg3wKSBUo1kfLhzcfLkwv2S4GYUvkdeh5Ex3C8Ff
7gdjKTnBAxM=
=Ehnr
-----END PGP SIGNATURE-----

« Back to bulletins