Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0383 Multiple vulnerabilities have been found in Hitachi products 3 February 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Hitachi Command Suite Hitachi Automation Director Hitachi Configuration Manager Hitachi Infrastructure Analytics Advisor Hitachi Ops Center Operating System: Virtualisation Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Mitigation CVE Names: CVE-2020-2659 CVE-2020-2655 CVE-2020-2654 CVE-2020-2604 CVE-2020-2601 CVE-2020-2593 CVE-2020-2590 CVE-2020-2585 CVE-2020-2583 CVE-2019-16168 CVE-2019-13118 CVE-2019-13117 Reference: ASB-2020.0028 ASB-2020.0027 ASB-2020.0018 ASB-2020.0017 ESB-2020.0380 ESB-2020.0358 ESB-2020.0292 Original Bulletin: https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/ hitachi-sec-2020-103/index.html - --------------------------BEGIN INCLUDED TEXT-------------------- Update: January 31, 2020 Multiple vulnerabilities have been found in Hitachi Command Suite, Hitachi Automation Director, Hitachi Configuration Manager, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center. Security Information ID hitachi-sec-2020-103 Vulnerability description Multiple vulnerabilities have been found in Hitachi Command Suite, Hitachi Automation Director, Hitachi Configuration Manager, Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center. CVE-2019-13117, CVE-2019-13118, CVE-2019-16168, CVE-2020-2583, CVE-2020-2585, CVE-2020-2590, CVE-2020-2593, CVE-2020-2601, CVE-2020-2604, CVE-2020-2654, CVE-2020-2655, CVE-2020-2659 Affected products and versions are listed below. Please upgrade your version to the appropriate version, or apply the Workarounds. The product name in Hitachi Command Suite is changed in Hitachi Ops Center series on some products. To find fixed products, need to find same number following product name in [Affected products] and [Fixed products]. Affected products - - Hitachi Command Suite Product name: Hitachi Device Manager ---(1) Component name: Device Manager Server Version(s): All versions Product name: Hitachi Device Manager ---(1) Component name: Device Manager Agent Version(s): All versions Product name: Hitachi Device Manager ---(1) Component name: Host Data Collector Version(s): All versions Product name: Hitachi Tiered Storage Manager ---(2) Version(s): All versions Product name: Hitachi Replication Manager ---(3) Version(s): All versions Product name: Hitachi Tuning Manager ---(4) Component name: Hitachi Tuning Manager server Version(s): All versions Product name: Hitachi Tuning Manager Component name: Hitachi Tuning Manager - Agent for RAID Version(s): All versions Product name: Hitachi Tuning Manager Component name: Hitachi Tuning Manager - Agent for NAS Version(s): All versions Product name: Hitachi Tuning Manager Component name: Hitachi Tuning Manager - Agent for SAN Switch Version(s): All versions Product name: Hitachi Dynamic Link Manager ---(5) Version(s): All versions Product name: Hitachi Global Link Manager ---(6) Version(s): All versions Product name: Hitachi Compute Systems Manager ---(7) Version(s): All versions Product name: Hitachi Automation Director ---(8) Version(s): All versions Product name: Hitachi Configuration Manager ---(9) Version(s): All versions Product name: Hitachi Infrastructure Analytics Advisor ---(10) Component name: Hitachi Infrastructure Analytics Advisor Version(s): All versions Product name: Hitachi Infrastructure Analytics Advisor Component name: Analytics probe server Version(s): All versions - - Hitachi Ops Center Product name: Hitachi Ops Center Automator ---(8) Version(s): All versions Product name: Hitachi Ops Center API Configuration Manager ---(9) Version(s): All versions Product name: Hitachi Ops Center Analyzer ---(10) Version(s): All versions Product name: Hitachi Ops Center Analyzer viewpoint ---(11) Version(s): All versions Product name: Hitachi Ops Center Common Services ---(12) Version(s): All versions Fixed products - - Hitachi Command Suite Product name: Hitachi Device Manager ---(1) Scheduled version(s): Product name: Hitachi Tiered Storage Manager ---(2) Scheduled version(s): Product name: Hitachi Replication Manager ---(3) Scheduled version(s): Product name: Hitachi Tuning Manager ---(4) Scheduled version(s): Product name: Hitachi Dynamic Link Manager ---(5) Scheduled version(s): Product name: Hitachi Global Link Manager ---(6) Scheduled version(s): Product name: Hitachi Compute Systems Manager ---(7) Scheduled version(s): Product name: Hitachi Automation Director ---(8) Scheduled version(s): Product name: Hitachi Configuration Manager ---(9) Scheduled version(s): - - Hitachi Ops Center Product name: Hitachi Ops Center Automator ---(8) Scheduled version(s): Product name: Hitachi Ops Center API Configuration Manager ---(9) Scheduled version(s): Product name: Hitachi Ops Center Analyzer ---(10) Scheduled version(s): Product name: Hitachi Ops Center Analyzer viewpoint ---(11) Scheduled version(s): Product name: Hitachi Ops Center Common Services ---(12) Scheduled version(s): For details on the fixed products, contact your Hitachi support service representative. Workarounds Hitachi Command Suite, Hitachi Infrastructure Analytics Advisor, Hitachi Automation Director, Hitachi Configuration Manager, Hitachi Ops Center Analyzer, Hitachi Ops Center Automator and Hitachi Ops Center API Configuration Manager None If you have support agreement with Oracle Java, execute the following temporary solution. Change the JDK used by Hitachi Command Suite products to the Oracle JDK(8u241 or later). For details about precondition and procedure, see product documents.(*1) Hitachi Ops Center Analyzer viewpoint Change the JDK used by Hitachi Ops Center Analyzer viewpoint to the Amazon Corretto(11.0.6). For details about procedure, contact your Hitachi support service representative. Hitachi Ops Center Common Services Change the JDK used by Hitachi Ops Center Common Services to the Amazon Corretto(8.242). For details about procedure, contact your Hitachi support service representative. *1 About Hitachi Infrastructure Analytics Advisor (including Analytics probe) and Hitachi Ops Center Analyzer (including Analyzer probe), contact your Hitachi support service representative. Revision history January 31, 2019 This page is released. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXjdlp2aOgq3Tt24GAQip1Q//QYKz1SpN+NTgG6T0A4HIg3zNzoFGJ/w5 MeAyRV46Q2x13TaNcUZUT+c9PBirk/40ie0yl2hOWtJVA22Va1LRJ1cZyrBBpX15 ZZX7qB8/6GYjD2rdqJ5cxixTc7ouasVytgv10u9sFwtXT8KvROeTfn8Db/VFUL1x UFOYcHK8nWnj5lzjvRY12DmtiF+J/U39DPLMG6GUYNCw0NQMqIFSQDpWlo6m3BlQ yvnKZokrc0BcRlDpkKcUYWIeUHkw4FpM8DiBe0HzqxPXAO8hetdSboi771zvoidR bN8pRRSPezGClyFhZFlG+w4Q23UsOoP+hvmbxVsJ7ImiyW1ZhgJNj00QXXmqrgH8 tEsP2Lk1rdaPNcZInTFqJOqZLZbwSWlkgkcmm79vgJHQ+IkYgrk7pzhabRVnrCGt r363Y34gCyAcBZjmiJeG380YbhHXO1PRUEHG+eQ4M0D/7wLIj0u0MyaxHMZZ1YK9 RpYlKZonvHW2aLfXUCh57Tbn5LTFKay2vFn/wlzi5jaLjmvUbV6iBp70/SndC+d0 UHuTV9cunFpA24g5gVgWIIwfE3PIzDSt6kaw4yQKL803Cl0TNDRLDPwl2OPuaizs 3va//ZBMsJNzyxCvxPo8sfXc0mCQdSTktdj4fsgXTSflZ//vDCQLqw7yh9izKW+A a4MxRclvZLo= =UK6p -----END PGP SIGNATURE-----