Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1734.2
Multiple Vulnerabilities in Cosminexus
18 May 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Hitachi Cosminexus
Publisher: Hitachi
Operating System: Windows
Linux variants
HP-UX
AIX
Solaris
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2018-13785 CVE-2018-3214 CVE-2018-3183
CVE-2018-3180 CVE-2018-3169 CVE-2018-3157
CVE-2018-3150 CVE-2018-3149 CVE-2018-3139
CVE-2018-3136 CVE-2018-2973 CVE-2018-2972
CVE-2018-2952 CVE-2018-2940 CVE-2018-2815
CVE-2018-2814 CVE-2018-2800 CVE-2018-2799
CVE-2018-2798 CVE-2018-2797 CVE-2018-2796
CVE-2018-2795 CVE-2018-2794 CVE-2018-2790
CVE-2018-2783 CVE-2018-2678 CVE-2018-2677
CVE-2018-2663 CVE-2018-2657 CVE-2018-2641
CVE-2018-2637 CVE-2018-2634 CVE-2018-2633
CVE-2018-2629 CVE-2018-2618 CVE-2018-2603
CVE-2018-2602 CVE-2018-2599 CVE-2018-2588
CVE-2018-2582 CVE-2018-2579 CVE-2017-10388
CVE-2017-10357 CVE-2017-10356 CVE-2017-10355
CVE-2017-10350 CVE-2017-10349 CVE-2017-10348
CVE-2017-10347 CVE-2017-10346 CVE-2017-10345
CVE-2017-10295 CVE-2017-10293 CVE-2017-10285
CVE-2017-10281 CVE-2017-10274 CVE-2017-10243
CVE-2017-10198 CVE-2017-10193 CVE-2017-10176
CVE-2017-10135 CVE-2017-10118 CVE-2017-10116
CVE-2017-10115 CVE-2017-10111 CVE-2017-10110
CVE-2017-10109 CVE-2017-10108 CVE-2017-10107
CVE-2017-10105 CVE-2017-10102 CVE-2017-10101
CVE-2017-10096 CVE-2017-10090 CVE-2017-10089
CVE-2017-10087 CVE-2017-10081 CVE-2017-10078
CVE-2017-10074 CVE-2017-10067 CVE-2017-10053
CVE-2017-3544 CVE-2017-3539 CVE-2017-3533
CVE-2017-3526 CVE-2017-3514 CVE-2017-3511
CVE-2017-3509 CVE-2017-3289 CVE-2017-3272
CVE-2017-3261 CVE-2017-3260 CVE-2017-3259
CVE-2017-3253 CVE-2017-3252 CVE-2017-3241
CVE-2017-3231 CVE-2016-10165 CVE-2016-9841
CVE-2016-5552 CVE-2016-5549 CVE-2016-5548
CVE-2016-5547 CVE-2016-5546 CVE-2016-2183
Reference: ASB-2018.0256
ASB-2018.0024
ESB-2020.0491
ESB-2019.3554
Original Bulletin:
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-101/index.html
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-121/index.html
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-102/index.html
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-131/index.html
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-131/index.html
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-111/index.html
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2018-111/index.html
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-120/index.html
Revision History: May 18 2020: Sending with new PGP key
May 15 2020: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Multiple Vulnerabilities in Cosminexus
o Security Information ID
o Vulnerability description
o Affected products
o Fixed products
o Revision history
Update: May 15, 2020
Multiple vulnerabilities have been found in Cosminexus.
Security Information ID
hitachi-sec-2017-101
Vulnerability description
Cosminexus Developer's Kit for Java(TM) and Hitachi Developer's Kit for Java
contain the following vulnerabilities:
CVE-2016-2183, CVE-2016-5546, CVE-2016-5547, CVE-2016-5548, CVE-2016-5549,
CVE-2016-5552, CVE-2017-3231, CVE-2017-3241, CVE-2017-3252, CVE-2017-3253,
CVE-2017-3259, CVE-2017-3260, CVE-2017-3261, CVE-2017-3272, CVE-2017-3289
Affected products and versions are listed below. Please upgrade your version to
the appropriate version.
These vulnerabilities exist in Cosminexus Developer's Kit for Java(TM) and
Hitachi Developer's Kit for Java which is a component product of other Hitachi
products.
For details about the fixed version about Cosminexus products, contact your
Hitachi support service representative.
Affected products
The information is organized under the following headings:
(Example)
Product name: Gives the name of the affected product.
Version:
Platform
Gives the affected version.
- - Cosminexus V8, V9
Product name: uCosminexus Application Server
Product name: uCosminexus Application Server Enterprise
Product name: uCosminexus Application Server Standard
Product name: uCosminexus Application Server Standard-R
Product name: uCosminexus Application Server(64)
Product name: uCosminexus Client
Product name: uCosminexus Developer
Product name: uCosminexus Developer Professional
Product name: uCosminexus Developer Standard
Product name: uCosminexus Service Architect
Product name: uCosminexus Service Platform
Product name: uCosminexus Service Platform(64)
Version(s):
Windows
08-70 to 09-70
Windows(x64)
08-50 to 09-71
Linux
08-20 to 08-70
Linux(x64)
09-00 to 09-71
AIX
09-00 to 09-70
HP-UX(IPF)
09-00 to 09-50
Solaris(x64)
08-20
- - Hitachi Application Server
Product name: Hitachi Application Server
Product name: Hitachi Application Server for Developers
Version(s):
Windows
10-00 to 10-10
Windows(x64)
10-00 to 10-11
Linux(x64)
10-00 to 10-11
AIX
10-00 to 10-10
Fixed products
The information is organized under the following headings:
(Example)
Product name: Gives the name of the fixed product.
Version:
Platform
Gives the fixed version, and release date.
Scheduled version:
Platform
Gives the fixed version scheduled to be released.
Product name: Cosminexus Developer's Kit for Java(TM)
Version(s):
Windows(x86)
09-70-10 August 31, 2017
09-50-23 December 9, 2019
09-00-23 December 9, 2019
Windows(x64)
09-70-10 August 31, 2017
09-50-23 December 9, 2019
09-00-23 December 9, 2019
Linux(x64)
09-70-10 August 31, 2017
HP-UX(IPF)
09-50-12 November 25, 2019
09-00-12 November 25, 2019
Product name: Hitachi Developer's Kit for Java
Version(s):
Windows(x86)
10-10-10 August 31, 2017
Windows(x64)
10-10-10 August 31, 2017
10-11-06 August 31, 2017
Linux(x64)
10-11-06 August 31, 2017
For details on the fixed products, contact your Hitachi support service
representative.
Revision history
May 15, 2020
Information about fixed versions is updated.
December 21, 2017
Information about fixed versions is updated.
January 27, 2017
This page is released.
o Hitachi, Ltd. (hereinafter referred to as "Hitachi") tries to provide
accurate information about security countermeasures. However, since
information about security problems constantly changes, the contents of
these Web pages are subject to change without prior notice. When
referencing information, please confirm that you are referencing the latest
information.
o The Web pages include information about products that are developed by
non-Hitachi software developers. Vulnerability information about those
products is based on the information provided or disclosed by those
developers. Although Hitachi is careful about the accuracy and completeness
of this information, the contents of the Web pages may change depending on
the changes made by the developers.
o The Web pages are intended to provide vulnerability information only, and
Hitachi shall not have any legal responsibility for the information
contained in them. Hitachi shall not be liable for any consequences arising
out of or in connection with the security countermeasures or other actions
that you will take or have taken (or not taken) by yourself.
o The links to other web sites are valid at the time of the release of the
page. Although Hitachi makes an effort to maintain the links, Hitachi
cannot guarantee their permanent availability.
o To Page Top
Disclaimer and copyrights
o Terms of Use
o Privacy Policy
o Trademarks & Abbreviations
(C) Hitachi, Ltd.1994, 2020. All rights reserved.
- --------------------------------------------------------------------------------
Multiple Vulnerabilities in Cosminexus
o Security Information ID
o Vulnerability description
o Affected products
o Fixed products
o Revision history
Update: May 15, 2020
Multiple vulnerabilities have been found in Cosminexus.
Security Information ID
hitachi-sec-2018-121
Vulnerability description
Cosminexus Developer's Kit for Java(TM) and Hitachi Developer's Kit for Java
contain the following vulnerabilities:
CVE-2018-2940, CVE-2018-2952, CVE-2018-2972, CVE-2018-2973
Affected products and versions are listed below. Please upgrade your version to
the appropriate version.
These vulnerabilities exist in Cosminexus Developer's Kit for Java(TM) and
Hitachi Developer's Kit for Java which is a component product of other Hitachi
products.
For details about the fixed version about Cosminexus products, contact your
Hitachi support service representative.
Affected products
The information is organized under the following headings:
(Example)
Product name: Gives the name of the affected product.
Version:
Platform
Gives the affected version.
- - Cosminexus V8, V9
Product name: uCosminexus Application Server
Product name: uCosminexus Application Server Enterprise
Product name: uCosminexus Application Server Standard
Product name: uCosminexus Application Server Standard-R
Product name: uCosminexus Application Server(64)
Product name: uCosminexus Client
Product name: uCosminexus Developer
Product name: uCosminexus Developer Professional
Product name: uCosminexus Developer Standard
Product name: uCosminexus Service Architect
Product name: uCosminexus Service Platform
Product name: uCosminexus Service Platform(64)
Version(s):
Windows
08-70 to 09-70
Windows(x64)
08-50 to 09-80
Linux(x64)
08-20 to 09-80
AIX
09-00 to 09-70
HP-UX(IPF)
09-00 to 09-50
Solaris(x64)
08-20
- - Hitachi Application Server
Product name: Hitachi Application Server
Product name: Hitachi Application Server for Developers
Version(s):
Windows
10-10
Windows(x64)
10-10 to 10-11
Linux(x64)
10-11
Fixed products
The information is organized under the following headings:
(Example)
Product name: Gives the name of the fixed product.
Version:
Platform
Gives the fixed version, and release date.
Scheduled version:
Platform
Gives the fixed version scheduled to be released.
Product name: Cosminexus Developer's Kit for Java(TM)
Version(s):
Windows(x86)
09-70-15 November 30, 2018
09-50-23 December 9, 2019
09-00-23 December 9, 2019
Windows(x64)
09-70-15 November 30, 2018
09-50-23 December 9, 2019
09-00-23 December 9, 2019
Linux(x64)
09-70-15 November 30, 2018
HP-UX(IPF)
09-50-12 November 25, 2019
09-00-12 November 25, 2019
Product name: Hitachi Developer's Kit for Java
Version(s):
Windows(x86)
10-10-15 November 30, 2018
Windows(x64)
10-11-15 November 30, 2018
10-10-15 November 30, 2018
Linux(x64)
10-11-15 November 30, 2018
For details on the fixed products, contact your Hitachi support service
representative.
Revision history
May 15, 2020
Information about fixed versions is updated.
December 10, 2018
Information about fixed versions is updated.
July 27, 2018
This page is released.
o Hitachi, Ltd. (hereinafter referred to as "Hitachi") tries to provide
accurate information about security countermeasures. However, since
information about security problems constantly changes, the contents of
these Web pages are subject to change without prior notice. When
referencing information, please confirm that you are referencing the latest
information.
o The Web pages include information about products that are developed by
non-Hitachi software developers. Vulnerability information about those
products is based on the information provided or disclosed by those
developers. Although Hitachi is careful about the accuracy and completeness
of this information, the contents of the Web pages may change depending on
the changes made by the developers.
o The Web pages are intended to provide vulnerability information only, and
Hitachi shall not have any legal responsibility for the information
contained in them. Hitachi shall not be liable for any consequences arising
out of or in connection with the security countermeasures or other actions
that you will take or have taken (or not taken) by yourself.
o The links to other web sites are valid at the time of the release of the
page. Although Hitachi makes an effort to maintain the links, Hitachi
cannot guarantee their permanent availability.
o To Page Top
Disclaimer and copyrights
o Terms of Use
o Privacy Policy
o Trademarks & Abbreviations
(C) Hitachi, Ltd.1994, 2020. All rights reserved.
- --------------------------------------------------------------------------------
Multiple Vulnerabilities in Cosminexus
o Security Information ID
o Vulnerability description
o Affected products
o Fixed products
o Revision history
Update: May 15, 2020
Multiple vulnerabilities have been found in Cosminexus.
Security Information ID
hitachi-sec-2018-102
Vulnerability description
Cosminexus Developer's Kit for Java(TM) and Hitachi Developer's Kit for Java
contain the following vulnerabilities:
CVE-2018-2579, CVE-2018-2582, CVE-2018-2588, CVE-2018-2599, CVE-2018-2602,
CVE-2018-2603, CVE-2018-2618, CVE-2018-2629, CVE-2018-2633, CVE-2018-2634,
CVE-2018-2637, CVE-2018-2641, CVE-2018-2657, CVE-2018-2663, CVE-2018-2677,
CVE-2018-2678
Affected products and versions are listed below. Please upgrade your version to
the appropriate version.
These vulnerabilities exist in Cosminexus Developer's Kit for Java(TM) and
Hitachi Developer's Kit for Java which is a component product of other Hitachi
products.
For details about the fixed version about Cosminexus products, contact your
Hitachi support service representative.
Affected products
The information is organized under the following headings:
(Example)
Product name: Gives the name of the affected product.
Version:
Platform
Gives the affected version.
- - Cosminexus V8, V9
Product name: uCosminexus Application Server
Product name: uCosminexus Application Server Enterprise
Product name: uCosminexus Application Server Standard
Product name: uCosminexus Application Server Standard-R
Product name: uCosminexus Application Server(64)
Product name: uCosminexus Client
Product name: uCosminexus Developer
Product name: uCosminexus Developer Professional
Product name: uCosminexus Developer Standard
Product name: uCosminexus Service Architect
Product name: uCosminexus Service Platform
Product name: uCosminexus Service Platform(64)
Version(s):
Windows
08-70 to 09-70
Windows(x64)
08-50 to 09-71
Linux(x64)
08-20 to 09-71
AIX
09-00 to 09-70
HP-UX(IPF)
09-00 to 09-50
Solaris(x64)
08-20
- - Hitachi Application Server
Product name: Hitachi Application Server
Product name: Hitachi Application Server for Developers
Version(s):
Windows
10-10
Windows(x64)
10-10 to 10-11
Linux(x64)
10-11
Fixed products
The information is organized under the following headings:
(Example)
Product name: Gives the name of the fixed product.
Version:
Platform
Gives the fixed version, and release date.
Scheduled version:
Platform
Gives the fixed version scheduled to be released.
Product name: Cosminexus Developer's Kit for Java(TM)
Version(s):
Windows(x86)
09-70-15 November 30, 2018
09-50-23 December 9, 2019
09-00-23 December 9, 2019
Windows(x64)
09-70-15 November 30, 2018
09-50-23 December 9, 2019
09-00-23 December 9, 2019
Linux(x64)
09-70-15 November 30, 2018
HP-UX(IPF)
09-50-12 November 25, 2019
09-00-12 November 25, 2019
Product name: Hitachi Developer's Kit for Java
Version(s):
Windows(x86)
10-10-15 November 30, 2018
Windows(x64)
10-11-15 November 30, 2018
10-10-15 November 30, 2018
Linux(x64)
10-11-15 November 30, 2018
For details on the fixed products, contact your Hitachi support service
representative.
Revision history
May 15, 2020
Information about fixed versions is updated.
December 10, 2018
Information about fixed versions is updated.
January 31, 2018
This page is released.
o Hitachi, Ltd. (hereinafter referred to as "Hitachi") tries to provide
accurate information about security countermeasures. However, since
information about security problems constantly changes, the contents of
these Web pages are subject to change without prior notice. When
referencing information, please confirm that you are referencing the latest
information.
o The Web pages include information about products that are developed by
non-Hitachi software developers. Vulnerability information about those
products is based on the information provided or disclosed by those
developers. Although Hitachi is careful about the accuracy and completeness
of this information, the contents of the Web pages may change depending on
the changes made by the developers.
o The Web pages are intended to provide vulnerability information only, and
Hitachi shall not have any legal responsibility for the information
contained in them. Hitachi shall not be liable for any consequences arising
out of or in connection with the security countermeasures or other actions
that you will take or have taken (or not taken) by yourself.
o The links to other web sites are valid at the time of the release of the
page. Although Hitachi makes an effort to maintain the links, Hitachi
cannot guarantee their permanent availability.
o To Page Top
Disclaimer and copyrights
o Terms of Use
o Privacy Policy
o Trademarks & Abbreviations
(C) Hitachi, Ltd.1994, 2020. All rights reserved.
- --------------------------------------------------------------------------------
Multiple Vulnerabilities in Cosminexus
o Security Information ID
o Vulnerability description
o Affected products
o Fixed products
o Revision history
Update: May 15, 2020
Multiple vulnerabilities have been found in Cosminexus.
Security Information ID
hitachi-sec-2017-131
Vulnerability description
Cosminexus Developer's Kit for Java(TM) and Hitachi Developer's Kit for Java
contain the following vulnerabilities:
CVE-2016-9841, CVE-2016-10165, CVE-2017-10274, CVE-2017-10281, CVE-2017-10285,
CVE-2017-10293, CVE-2017-10295, CVE-2017-10345, CVE-2017-10346, CVE-2017-10347,
CVE-2017-10348, CVE-2017-10349, CVE-2017-10350, CVE-2017-10355, CVE-2017-10356,
CVE-2017-10357, CVE-2017-10388
Cosminexus XML Processor contain the following vulnerabilities:
CVE-2017-10349,CVE-2017-10355(*1)
*1
CVE-2017-10355 is fixed in the fixed version of Cosminexus Developer's Kit
for Java(TM).
Affected products and versions are listed below. Please upgrade your version to
the appropriate version.
These vulnerabilities exist in Cosminexus Developer's Kit for Java(TM), Hitachi
Developer's Kit for Java and Cosminexus XML Processor which is a component
product of other Hitachi products.
For details about the fixed version about Cosminexus products, contact your
Hitachi support service representative.
Affected products
The information is organized under the following headings:
(Example)
Product name: Gives the name of the affected product.
Version:
Platform
Gives the affected version.
- - Cosminexus V5, V6, V7, V8, V9
Product name: Cosminexus Studio
Product name: Cosminexus Studio Light
Product name: uCosminexus Application Server
Product name: uCosminexus Application Server Enterprise
Product name: uCosminexus Application Server Express
Product name: uCosminexus Application Server Light
Product name: uCosminexus Application Server Smart Edition
Product name: uCosminexus Application Server Standard
Product name: uCosminexus Application Server Standard-R
Product name: uCosminexus Application Server(64)
Product name: uCosminexus Application Server-R
Product name: uCosminexus Client
Product name: uCosminexus Client for Plug-in
Product name: uCosminexus Developer
Product name: uCosminexus Developer 01
Product name: uCosminexus Developer Light
Product name: uCosminexus Developer Professional
Product name: uCosminexus Developer Professional for Plug-in
Product name: uCosminexus Developer Standard
Product name: uCosminexus Operator
Product name: uCosminexus Operator for Service Platform
Product name: uCosminexus Primary Server Base
Product name: uCosminexus Server Standard-R
Product name: uCosminexus Service Architect
Product name: uCosminexus Service Platform
Product name: uCosminexus Service Platform - Messaging
Product name: uCosminexus Service Platform(64)
Version(s):
Windows
05-00 to 09-70
Windows(x64)
05-00 to 09-71
Windows(IPF)
06-00 to 06-70
Linux
05-05 to 08-70
Linux(x64)
07-00 to 09-71
Linux(IPF)
06-00 to 08-50
AIX
05-00 to 09-70
HP-UX
05-00 to 07-10
HP-UX(IPF)
06-51 to 09-50
Solaris(SPARC)
05-05 to 08-20
Solaris(x64)
08-20
- - Hitachi Application Server
Product name: Hitachi Application Server
Product name: Hitachi Application Server for Developers
Version(s):
Windows
10-10
Windows(x64)
10-10 to 10-11
Linux(x64)
10-11
Fixed products
The information is organized under the following headings:
(Example)
Product name: Gives the name of the fixed product.
Version:
Platform
Gives the fixed version, and release date.
Scheduled version:
Platform
Gives the fixed version scheduled to be released.
Product name: Cosminexus Developer's Kit for Java(TM)
Version(s):
Windows(x86)
09-70-15 November 30, 2018
09-50-23 December 9, 2019
09-00-23 December 9, 2019
Windows(x64)
09-70-15 November 30, 2018
09-50-23 December 9, 2019
09-00-23 December 9, 2019
Linux(x64)
09-70-15 November 30, 2018
HP-UX(IPF)
09-50-12 November 25, 2019
09-00-12 November 25, 2019
Product name: Hitachi Developer's Kit for Java
Version(s):
Windows(x86)
10-10-15 November 30, 2018
Windows(x64)
10-11-15 November 30, 2018
10-10-15 November 30, 2018
Linux(x64)
10-11-15 November 30, 2018
Product name: Cosminexus XML Processor
Version(s):
Windows(x86)
09-50-11 February 27, 2018
08-70-04 December 4, 2018
08-50-06 March 29, 2019
Windows(x64)
09-50-11 February 27, 2018
08-70-04 December 4, 2018
08-50-06 March 29, 2019
Linux
08-70-04 December 4, 2018
08-50-06 March 29, 2019
Linux(IPF)
08-50-06 March 29, 2019
Linux(x64)
09-50-11 February 27, 2018
08-70-04 December 4, 2018
08-50-06 March 29, 2019
AIX
09-50-11 February 27, 2018
08-70-04 December 4, 2018
08-50-06 March 29, 2019
HP-UX(IPF)
09-50-11 February 27, 2018
08-70-04 December 4, 2018
08-50-06 March 29, 2019
For details on the fixed products, contact your Hitachi support service
representative.
Revision history
May 15, 2020
Information about fixed versions is updated.
April 10, 2019
Information about fixed versions is updated.
December 10, 2018
Information about fixed versions is updated.
July 6, 2018
Information about fixed versions is updated.
May 11, 2018
Information about vulnerability description, affected products and fixed
versions are updated.
October 27, 2017
This page is released.
o Hitachi, Ltd. (hereinafter referred to as "Hitachi") tries to provide
accurate information about security countermeasures. However, since
information about security problems constantly changes, the contents of
these Web pages are subject to change without prior notice. When
referencing information, please confirm that you are referencing the latest
information.
o The Web pages include information about products that are developed by
non-Hitachi software developers. Vulnerability information about those
products is based on the information provided or disclosed by those
developers. Although Hitachi is careful about the accuracy and completeness
of this information, the contents of the Web pages may change depending on
the changes made by the developers.
o The Web pages are intended to provide vulnerability information only, and
Hitachi shall not have any legal responsibility for the information
contained in them. Hitachi shall not be liable for any consequences arising
out of or in connection with the security countermeasures or other actions
that you will take or have taken (or not taken) by yourself.
o The links to other web sites are valid at the time of the release of the
page. Although Hitachi makes an effort to maintain the links, Hitachi
cannot guarantee their permanent availability.
o To Page Top
Disclaimer and copyrights
o Terms of Use
o Privacy Policy
o Trademarks & Abbreviations
(C) Hitachi, Ltd.1994, 2020. All rights reserved.
- --------------------------------------------------------------------------------
Multiple Vulnerabilities in Cosminexus
o Security Information ID
o Vulnerability description
o Affected products
o Fixed products
o Revision history
Update: May 15, 2020
Multiple vulnerabilities have been found in Cosminexus.
Security Information ID
hitachi-sec-2018-131
Vulnerability description
Cosminexus Developer's Kit for Java(TM) and Hitachi Developer's Kit for Java
contain the following vulnerabilities:
CVE-2018-3136, CVE-2018-3139, CVE-2018-3149, CVE-2018-3150, CVE-2018-3157,
CVE-2018-3169, CVE-2018-3180, CVE-2018-3183, CVE-2018-3214, CVE-2018-13785
Affected products and versions are listed below. Please upgrade your version to
the appropriate version.
These vulnerabilities exist in Cosminexus Developer's Kit for Java(TM) and
Hitachi Developer's Kit for Java which is a component product of other Hitachi
products.
For details about the fixed version about Cosminexus products, contact your
Hitachi support service representative.
Affected products
The information is organized under the following headings:
(Example)
Product name: Gives the name of the affected product.
Version:
Platform
Gives the affected version.
- - Cosminexus V8, V9
Product name: uCosminexus Application Server
Product name: uCosminexus Application Server Enterprise
Product name: uCosminexus Application Server Standard
Product name: uCosminexus Application Server Standard-R
Product name: uCosminexus Application Server(64)
Product name: uCosminexus Client
Product name: uCosminexus Developer
Product name: uCosminexus Developer Professional
Product name: uCosminexus Developer Standard
Product name: uCosminexus Service Architect
Product name: uCosminexus Service Platform
Product name: uCosminexus Service Platform(64)
Version(s):
Windows
08-70 to 09-70
Windows(x64)
08-50 to 09-80
Linux(x64)
08-20 to 09-80
AIX
09-00 to 09-80
HP-UX(IPF)
09-00 to 09-50
Solaris(x64)
08-20
- - Hitachi Application Server
Product name: Hitachi Application Server
Product name: Hitachi Application Server for Developers
Version(s):
Windows
10-10
Windows(x64)
10-10 to 10-11
Linux(x64)
10-11
Fixed products
The information is organized under the following headings:
(Example)
Product name: Gives the name of the fixed product.
Version:
Platform
Gives the fixed version, and release date.
Scheduled version:
Platform
Gives the fixed version scheduled to be released.
Product name: Cosminexus Developer's Kit for Java(TM)
Version(s):
Windows(x86)
09-70-15 November 30, 2018
09-50-23 December 9, 2019
09-00-23 December 9, 2019
Windows(x64)
09-70-15 November 30, 2018
09-50-23 December 9, 2019
09-00-23 December 9, 2019
Linux(x64)
09-70-15 November 30, 2018
HP-UX(IPF)
09-50-12 November 25, 2019
09-00-12 November 25, 2019
Product name: Hitachi Developer's Kit for Java
Version(s):
Windows(x86)
10-10-15 November 30, 2018
Windows(x64)
10-11-15 November 30, 2018
10-10-15 November 30, 2018
Linux(x64)
10-11-15 November 30, 2018
For details on the fixed products, contact your Hitachi support service
representative.
Revision history
May 15, 2020
Information about fixed versions is updated.
December 10, 2018
Information about fixed versions is updated.
October 26, 2018
This page is released.
o Hitachi, Ltd. (hereinafter referred to as "Hitachi") tries to provide
accurate information about security countermeasures. However, since
information about security problems constantly changes, the contents of
these Web pages are subject to change without prior notice. When
referencing information, please confirm that you are referencing the latest
information.
o The Web pages include information about products that are developed by
non-Hitachi software developers. Vulnerability information about those
products is based on the information provided or disclosed by those
developers. Although Hitachi is careful about the accuracy and completeness
of this information, the contents of the Web pages may change depending on
the changes made by the developers.
o The Web pages are intended to provide vulnerability information only, and
Hitachi shall not have any legal responsibility for the information
contained in them. Hitachi shall not be liable for any consequences arising
out of or in connection with the security countermeasures or other actions
that you will take or have taken (or not taken) by yourself.
o The links to other web sites are valid at the time of the release of the
page. Although Hitachi makes an effort to maintain the links, Hitachi
cannot guarantee their permanent availability.
o To Page Top
Disclaimer and copyrights
o Terms of Use
o Privacy Policy
o Trademarks & Abbreviations
(C) Hitachi, Ltd.1994, 2020. All rights reserved.
- --------------------------------------------------------------------------------
Multiple Vulnerabilities in Cosminexus
o Security Information ID
o Vulnerability description
o Affected products
o Fixed products
o Revision history
Update: May 15, 2020
Multiple vulnerabilities have been found in Cosminexus.
Security Information ID
hitachi-sec-2017-111
Vulnerability description
Cosminexus Developer's Kit for Java(TM) and Hitachi Developer's Kit for Java
contain the following vulnerabilities:
CVE-2017-3509, CVE-2017-3511, CVE-2017-3514, CVE-2017-3526, CVE-2017-3533,
CVE-2017-3539, CVE-2017-3544
Affected products and versions are listed below. Please upgrade your version to
the appropriate version.
These vulnerabilities exist in Cosminexus Developer's Kit for Java(TM) and
Hitachi Developer's Kit for Java which is a component product of other Hitachi
products.
For details about the fixed version about Cosminexus products, contact your
Hitachi support service representative.
Affected products
The information is organized under the following headings:
(Example)
Product name: Gives the name of the affected product.
Version:
Platform
Gives the affected version.
- - Cosminexus V8, V9
Product name: uCosminexus Application Server
Product name: uCosminexus Application Server Enterprise
Product name: uCosminexus Application Server Standard
Product name: uCosminexus Application Server Standard-R
Product name: uCosminexus Application Server(64)
Product name: uCosminexus Client
Product name: uCosminexus Developer
Product name: uCosminexus Developer Professional
Product name: uCosminexus Developer Standard
Product name: uCosminexus Service Architect
Product name: uCosminexus Service Platform
Product name: uCosminexus Service Platform(64)
Version(s):
Windows
08-70 to 09-70
Windows(x64)
08-50 to 09-71
Linux(x64)
08-20 to 09-71
AIX
09-00 to 09-70
HP-UX(IPF)
09-00 to 09-50
Solaris(x64)
08-20
- - Hitachi Application Server
Product name: Hitachi Application Server
Product name: Hitachi Application Server for Developers
Version(s):
Windows
10-00 to 10-10
Windows(x64)
10-00 to 10-11
Linux(x64)
10-00 to 10-11
AIX
10-00 to 10-10
Fixed products
The information is organized under the following headings:
(Example)
Product name: Gives the name of the fixed product.
Version:
Platform
Gives the fixed version, and release date.
Scheduled version:
Platform
Gives the fixed version scheduled to be released.
Product name: Cosminexus Developer's Kit for Java(TM)
Version(s):
Windows(x86)
09-70-10 August 31, 2017
09-50-23 December 9, 2019
09-00-23 December 9, 2019
Windows(x64)
09-70-10 August 31, 2017
09-50-23 December 9, 2019
09-00-23 December 9, 2019
Linux(x64)
09-70-10 August 31, 2017
HP-UX(IPF)
09-50-12 November 25, 2019
09-00-12 November 25, 2019
Product name: Hitachi Developer's Kit for Java
Version(s):
Windows(x86)
10-10-10 August 31, 2017
Windows(x64)
10-10-10 August 31, 2017
10-11-06 August 31, 2017
Linux(x64)
10-11-06 August 31, 2017
For details on the fixed products, contact your Hitachi support service
representative.
Revision history
May 15, 2020
Information about fixed versions is updated.
December 21, 2017
Information about fixed versions is updated.
April 26, 2017
This page is released.
o Hitachi, Ltd. (hereinafter referred to as "Hitachi") tries to provide
accurate information about security countermeasures. However, since
information about security problems constantly changes, the contents of
these Web pages are subject to change without prior notice. When
referencing information, please confirm that you are referencing the latest
information.
o The Web pages include information about products that are developed by
non-Hitachi software developers. Vulnerability information about those
products is based on the information provided or disclosed by those
developers. Although Hitachi is careful about the accuracy and completeness
of this information, the contents of the Web pages may change depending on
the changes made by the developers.
o The Web pages are intended to provide vulnerability information only, and
Hitachi shall not have any legal responsibility for the information
contained in them. Hitachi shall not be liable for any consequences arising
out of or in connection with the security countermeasures or other actions
that you will take or have taken (or not taken) by yourself.
o The links to other web sites are valid at the time of the release of the
page. Although Hitachi makes an effort to maintain the links, Hitachi
cannot guarantee their permanent availability.
o To Page Top
Disclaimer and copyrights
o Terms of Use
o Privacy Policy
o Trademarks & Abbreviations
(C) Hitachi, Ltd.1994, 2020. All rights reserved.
- --------------------------------------------------------------------------------
Multiple Vulnerabilities in Cosminexus
o Security Information ID
o Vulnerability description
o Affected products
o Fixed products
o Revision history
Update: May 15, 2020
Multiple vulnerabilities have been found in Cosminexus.
Security Information ID
hitachi-sec-2018-111
Vulnerability description
Cosminexus Developer's Kit for Java(TM) and Hitachi Developer's Kit for Java
contain the following vulnerabilities:
CVE-2018-2783, CVE-2018-2790, CVE-2018-2794, CVE-2018-2795, CVE-2018-2796,
CVE-2018-2797, CVE-2018-2798, CVE-2018-2799, CVE-2018-2800, CVE-2018-2814,
CVE-2018-2815
Affected products and versions are listed below. Please upgrade your version to
the appropriate version.
These vulnerabilities exist in Cosminexus Developer's Kit for Java(TM) and
Hitachi Developer's Kit for Java which is a component product of other Hitachi
products.
For details about the fixed version about Cosminexus products, contact your
Hitachi support service representative.
Affected products
The information is organized under the following headings:
(Example)
Product name: Gives the name of the affected product.
Version:
Platform
Gives the affected version.
- - Cosminexus V8, V9
Product name: uCosminexus Application Server
Product name: uCosminexus Application Server Enterprise
Product name: uCosminexus Application Server Standard
Product name: uCosminexus Application Server Standard-R
Product name: uCosminexus Application Server(64)
Product name: uCosminexus Client
Product name: uCosminexus Developer
Product name: uCosminexus Developer Professional
Product name: uCosminexus Developer Standard
Product name: uCosminexus Service Architect
Product name: uCosminexus Service Platform
Product name: uCosminexus Service Platform(64)
Version(s):
Windows
08-70 to 09-70
Windows(x64)
08-50 to 09-71
Linux(x64)
08-20 to 09-71
AIX
09-00 to 09-70
HP-UX(IPF)
09-00 to 09-50
Solaris(x64)
08-20
- - Hitachi Application Server
Product name: Hitachi Application Server
Product name: Hitachi Application Server for Developers
Version(s):
Windows
10-10
Windows(x64)
10-10 to 10-11
Linux(x64)
10-11
Fixed products
The information is organized under the following headings:
(Example)
Product name: Gives the name of the fixed product.
Version:
Platform
Gives the fixed version, and release date.
Scheduled version:
Platform
Gives the fixed version scheduled to be released.
Product name: Cosminexus Developer's Kit for Java(TM)
Version(s):
Windows(x86)
09-70-15 November 30, 2018
09-50-23 December 9, 2019
09-00-23 December 9, 2019
Windows(x64)
09-70-15 November 30, 2018
09-50-23 December 9, 2019
09-00-23 December 9, 2019
Linux(x64)
09-70-15 November 30, 2018
HP-UX(IPF)
09-50-12 November 25, 2019
09-00-12 November 25, 2019
Product name: Hitachi Developer's Kit for Java
Version(s):
Windows(x86)
10-10-15 November 30, 2018
Windows(x64)
10-11-15 November 30, 2018
10-10-15 November 30, 2018
Linux(x64)
10-11-15 November 30, 2018
For details on the fixed products, contact your Hitachi support service
representative.
Revision history
May 15, 2020
Information about fixed versions is updated.
December 10, 2018
Information about fixed versions is updated.
April 25, 2018
This page is released.
o Hitachi, Ltd. (hereinafter referred to as "Hitachi") tries to provide
accurate information about security countermeasures. However, since
information about security problems constantly changes, the contents of
these Web pages are subject to change without prior notice. When
referencing information, please confirm that you are referencing the latest
information.
o The Web pages include information about products that are developed by
non-Hitachi software developers. Vulnerability information about those
products is based on the information provided or disclosed by those
developers. Although Hitachi is careful about the accuracy and completeness
of this information, the contents of the Web pages may change depending on
the changes made by the developers.
o The Web pages are intended to provide vulnerability information only, and
Hitachi shall not have any legal responsibility for the information
contained in them. Hitachi shall not be liable for any consequences arising
out of or in connection with the security countermeasures or other actions
that you will take or have taken (or not taken) by yourself.
o The links to other web sites are valid at the time of the release of the
page. Although Hitachi makes an effort to maintain the links, Hitachi
cannot guarantee their permanent availability.
o To Page Top
Disclaimer and copyrights
o Terms of Use
o Privacy Policy
o Trademarks & Abbreviations
(C) Hitachi, Ltd.1994, 2020. All rights reserved.
- --------------------------------------------------------------------------------
Multiple Vulnerabilities in Cosminexus
o Security Information ID
o Vulnerability description
o Affected products
o Fixed products
o Revision history
Update: May 15, 2020
Multiple vulnerabilities have been found in Cosminexus.
Security Information ID
hitachi-sec-2017-120
Vulnerability description
Cosminexus Developer's Kit for Java(TM) and Hitachi Developer's Kit for Java
contain the following vulnerabilities:
CVE-2017-10053, CVE-2017-10067, CVE-2017-10074, CVE-2017-10078, CVE-2017-10081,
CVE-2017-10087, CVE-2017-10089, CVE-2017-10090, CVE-2017-10096, CVE-2017-10101,
CVE-2017-10102, CVE-2017-10105, CVE-2017-10107, CVE-2017-10108, CVE-2017-10109,
CVE-2017-10110, CVE-2017-10111, CVE-2017-10115, CVE-2017-10116, CVE-2017-10118,
CVE-2017-10135, CVE-2017-10176, CVE-2017-10193, CVE-2017-10198, CVE-2017-10243
Cosminexus XML Processor contain the following vulnerabilities:
CVE-2017-10096, CVE-2017-10101
Affected products and versions are listed below. Please upgrade your version to
the appropriate version.
These vulnerabilities exist in Cosminexus Developer's Kit for Java(TM), Hitachi
Developer's Kit for Java and Cosminexus XML Processor which is a component
product of other Hitachi products.
For details about the fixed version about Cosminexus products, contact your
Hitachi support service representative.
Affected products
The information is organized under the following headings:
(Example)
Product name: Gives the name of the affected product.
Version:
Platform
Gives the affected version.
- - Cosminexus V5, V6, V7, V8, V9
Product name: Cosminexus Studio
Product name: Cosminexus Studio Light
Product name: uCosminexus Application Server
Product name: uCosminexus Application Server Enterprise
Product name: uCosminexus Application Server Express
Product name: uCosminexus Application Server Light
Product name: uCosminexus Application Server Smart Edition
Product name: uCosminexus Application Server Standard
Product name: uCosminexus Application Server Standard-R
Product name: uCosminexus Application Server(64)
Product name: uCosminexus Application Server-R
Product name: uCosminexus Client
Product name: uCosminexus Client for Plug-in
Product name: uCosminexus Developer
Product name: uCosminexus Developer 01
Product name: uCosminexus Developer Light
Product name: uCosminexus Developer Professional
Product name: uCosminexus Developer Professional for Plug-in
Product name: uCosminexus Developer Standard
Product name: uCosminexus Operator
Product name: uCosminexus Operator for Service Platform
Product name: uCosminexus Primary Server Base
Product name: uCosminexus Server Standard-R
Product name: uCosminexus Service Architect
Product name: uCosminexus Service Platform
Product name: uCosminexus Service Platform - Messaging
Product name: uCosminexus Service Platform(64)
Version(s):
Windows
05-00 to 09-70
Windows(x64)
05-00 to 09-71
Windows(IPF)
06-00 to 06-70
Linux
05-05 to 08-70
Linux(x64)
07-00 to 09-71
Linux(IPF)
06-00 to 08-50
AIX
05-00 to 09-70
HP-UX
05-00 to 07-10
HP-UX(IPF)
06-51 to 09-50
Solaris(SPARC)
05-05 to 08-20
Solaris(x64)
08-20
- - Hitachi Application Server
Product name: Hitachi Application Server
Product name: Hitachi Application Server for Developers
Version(s):
Windows
10-10
Windows(x64)
10-10 to 10-11
Linux(x64)
10-11
Fixed products
The information is organized under the following headings:
(Example)
Product name: Gives the name of the fixed product.
Version:
Platform
Gives the fixed version, and release date.
Scheduled version:
Platform
Gives the fixed version scheduled to be released.
Product name: Cosminexus Developer's Kit for Java(TM)
Version(s):
Windows(x86)
09-70-11 January 19, 2018
09-50-23 December 9, 2019
09-00-23 December 9, 2019
Windows(x64)
09-70-11 January 19, 2018
09-50-23 December 9, 2019
09-00-23 December 9, 2019
Linux(x64)
09-70-11 January 19, 2018
HP-UX(IPF)
09-50-12 November 25, 2019
09-00-12 November 25, 2019
Product name: Cosminexus XML Processor
Version(s):
Windows
09-50-10 December 6, 2017
08-70-04 December 4, 2018
08-50-06 March 29, 2019
Windows(x64)
09-50-10 December 6, 2017
08-70-04 December 4, 2018
08-50-06 March 29, 2019
Linux
08-70-04 December 4, 2018
08-50-06 March 29, 2019
Linux(IPF)
08-50-06 March 29, 2019
Linux(x64)
09-50-10 December 6, 2017
08-70-04 December 4, 2018
08-50-06 March 29, 2019
AIX
09-50-10 December 6, 2017
08-70-04 December 4, 2018
08-50-06 March 29, 2019
HP-UX(IPF)
09-50-10 December 6, 2017
08-70-04 December 4, 2018
08-50-06 March 29, 2019
Product name: Hitachi Developer's Kit for Java
Version(s):
Windows(x86)
10-10-11 January 19, 2018
Windows(x64)
10-11-07 January 19, 2018
10-10-11 January 19, 2018
Linux(x64)
10-11-07 January 19, 2018
For details on the fixed products, contact your Hitachi support service
representative.
Revision history
May 15, 2020
Information about fixed versions is updated.
April 10, 2019
Information about fixed versions is updated.
December 10, 2018
Information about fixed versions is updated.
January 31, 2018
Information about fixed versions is updated.
December 21, 2017
Information about vulnerability description, affected products and fixed
versions are updated.
July 28, 2017
This page is released.
o Hitachi, Ltd. (hereinafter referred to as "Hitachi") tries to provide
accurate information about security countermeasures. However, since
information about security problems constantly changes, the contents of
these Web pages are subject to change without prior notice. When
referencing information, please confirm that you are referencing the latest
information.
o The Web pages include information about products that are developed by
non-Hitachi software developers. Vulnerability information about those
products is based on the information provided or disclosed by those
developers. Although Hitachi is careful about the accuracy and completeness
of this information, the contents of the Web pages may change depending on
the changes made by the developers.
o The Web pages are intended to provide vulnerability information only, and
Hitachi shall not have any legal responsibility for the information
contained in them. Hitachi shall not be liable for any consequences arising
out of or in connection with the security countermeasures or other actions
that you will take or have taken (or not taken) by yourself.
o The links to other web sites are valid at the time of the release of the
page. Although Hitachi makes an effort to maintain the links, Hitachi
cannot guarantee their permanent availability.
o To Page Top
Disclaimer and copyrights
o Terms of Use
o Privacy Policy
o Trademarks & Abbreviations
(C) Hitachi, Ltd.1994, 2020. All rights reserved.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXsHiQ+NLKJtyKPYoAQh5Jw/9Hsw2NfTzFShAmzUE2BNFCy36tBKmIQ+u
S+xGUtBVPRnaE1FJaO40H0mKFi1si/9CbxcKVkn7QPOQEr4mvSNapnHEmYyhpR4K
fbriMvWyZDk3gRlZ0mTYXz9Smjdq9tuKwh64/7s8BSSgjF21uTkjP1PNO4MYdSLz
6QrXsmtKHnefgjnfF5QeLS/g1b9e1sEpk+ZQG1gRQqkJGfyhiNqbMfbEqGqlH4+U
3kCzVQjsTZDpbm7CwW8Ip34bcIIobJK017+pQOKszQnvNIhksVXK+DmWv5wbcQH3
GC+KcNzSUERC4O1xNrAA/v0GzGMbj0qMYiRgKv6iShuexMPmpAnVmpLL8BCrTvF1
r7jHLNu/bfyKHRrFi4cWuadqJqfJDhaFv9B75m6tSXfZGzWfotaeMKe5magKnsJ8
nyYZkYb+abdY9X3comC4MoVRmeuyNcs7YgZyotVqHvz3kMz2tGkmss7hg4E425fD
P/uh7yX0qnjTe8Fw/QtsFo/UpwF0mLYJqzPU0iumy3uCprnYXRdYDM3P7yAKS4SL
/pe1xmUa/RLurMJhj7YZwyl59K7FPkaNZPm2FyOexqpXlIKivCJdmKmeY5C2lMuB
Tda/N99tUpyq5eJJ7YN7bfqIAkzrJ/ck/JgdTS3IicUVBKDzqXKYlzi7DFwKBaxU
Q0DV753DQ64=
=nH6Y
-----END PGP SIGNATURE-----