Sign-up

ID

VAR-200708-0154


CVE

CVE-2007-4124


TITLE

Cosminexus Component Container Session Handling Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2007-001133

DESCRIPTION

The session failover function in Cosminexus Component Container in Cosminexus 6, 6.7, and 7 before 20070731, as used in multiple Hitachi products, can use session data for the wrong user under unspecified conditions, which might allow remote authenticated users to obtain sensitive information, corrupt another user's session data, and possibly gain privileges. Hitachi uCosminexus is an application server system.  There is a vulnerability in Hitachi uCosminexus's session failover implementation. Remote attackers may use this vulnerability to obtain session-related sensitive data.  Details of the vulnerability are currently unknown. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: Hitachi Products Cosminexus Component Container Improper Session Data Handling SECUNIA ADVISORY ID: SA26250 VERIFY ADVISORY: http://secunia.com/advisories/26250/ CRITICAL: Less critical IMPACT: Security Bypass, Exposure of sensitive information WHERE: >From local network SOFTWARE: uCosminexus Application Server http://secunia.com/product/13819/ uCosminexus Service Platform http://secunia.com/product/13823/ uCosminexus Developer http://secunia.com/product/13820/ uCosminexus Service Architect http://secunia.com/product/13821/ Cosminexus 6.x http://secunia.com/product/5795/ DESCRIPTION: A security issue has been reported in Hitachi products, which potentially can be exploited by malicious users to gain knowledge of sensitive information or bypass certain security restrictions. Please see the vendor's advisory for a list of affected products and versions. SOLUTION: Please see the vendor's advisory for fix details. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.hitachi-support.com/security_e/vuls_e/HS07-024_e/index-e.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.52

sources: NVD: CVE-2007-4124 // JVNDB: JVNDB-2007-001133 // CNVD: CNVD-2007-4792 // BID: 25145 // PACKETSTORM: 58201

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2007-4792

AFFECTED PRODUCTS

vendor:hitachimodel:ucosminexus application serverscope:eqversion:enterprise

Trust: 1.4

vendor:hitachimodel:ucosminexus application serverscope:eqversion:standard

Trust: 1.4

vendor:hitachimodel:ucosminexus developerscope:eqversion:light

Trust: 1.4

vendor:hitachimodel:ucosminexus developerscope:eqversion:professional

Trust: 1.4

vendor:hitachimodel:ucosminexus developerscope:eqversion:standard

Trust: 1.4

vendor:hitachimodel:ucosminexus erp integratorscope: - version: -

Trust: 1.4

vendor:hitachimodel:cosminexus opentp1 web front-end setscope:eqversion:*

Trust: 1.0

vendor:hitachimodel:ucosminexus service platformscope:eqversion:*

Trust: 1.0

vendor:hitachimodel:ucosminexus application serverscope:eqversion:*

Trust: 1.0

vendor:hitachimodel:cosminexus collaboration portalscope:eqversion:*

Trust: 1.0

vendor:hitachimodel:cosminexus application serverscope:eqversion:6

Trust: 1.0

vendor:hitachimodel:cosminexus developerscope:eqversion:6

Trust: 1.0

vendor:hitachimodel:ucosminexus developerscope:eqversion:*

Trust: 1.0

vendor:hitachimodel:ucosminexus erp integratorscope:eqversion:*

Trust: 1.0

vendor:hitachimodel:ucosminexus service architectscope:eqversion:*

Trust: 1.0

vendor:hitachimodel:electronic form workflowscope:eqversion:*

Trust: 1.0

vendor:hitachimodel:ucosminexus opentp1 web front-end setscope:eqversion:*

Trust: 1.0

vendor:hitachimodel:ucosminexus collaboration portalscope:eqversion:*

Trust: 1.0

vendor:hitachimodel:groupmax collaboration portalscope:eqversion:*

Trust: 1.0

vendor:hitachimodel:cosminexus erp integratorscope:eqversion:*

Trust: 1.0

vendor:hitachimodel:cosminexus application serverscope:eqversion:enterprise version 6

Trust: 0.8

vendor:hitachimodel:cosminexus application serverscope:eqversion:standard version 6

Trust: 0.8

vendor:hitachimodel:cosminexus collaborationscope:eqversion:server

Trust: 0.8

vendor:hitachimodel:cosminexus component containerscope: - version: -

Trust: 0.8

vendor:hitachimodel:cosminexus developerscope:eqversion:light version 6

Trust: 0.8

vendor:hitachimodel:cosminexus developerscope:eqversion:professional version 6

Trust: 0.8

vendor:hitachimodel:cosminexus developerscope:eqversion:standard version 6

Trust: 0.8

vendor:hitachimodel:cosminexus erp integratorscope: - version: -

Trust: 0.8

vendor:hitachimodel:cosminexus/opentp1scope:eqversion:web front-end set

Trust: 0.8

vendor:hitachimodel:electronic form workflowscope:eqversion:developer client set

Trust: 0.8

vendor:hitachimodel:electronic form workflowscope:eqversion:professional library set

Trust: 0.8

vendor:hitachimodel:electronic form workflowscope:eqversion:standard set

Trust: 0.8

vendor:hitachimodel:groupmax collaborationscope:eqversion:server

Trust: 0.8

vendor:hitachimodel:ucosminexus collaborationscope:eqversion:server

Trust: 0.8

vendor:hitachimodel:ucosminexus servicescope:eqversion:architect

Trust: 0.8

vendor:hitachimodel:ucosminexus servicescope:eqversion:platform

Trust: 0.8

vendor:hitachimodel:ucosminexus/opentp1scope:eqversion:web front-end set

Trust: 0.8

vendor:nonemodel: - scope: - version: -

Trust: 0.6

vendor:hitachimodel:ucosminexus application server standard 06-70-/bscope: - version: -

Trust: 0.6

vendor:hitachimodel:ucosminexus application server standard 06-70-/ascope: - version: -

Trust: 0.6

vendor:hitachimodel:ucosminexus application server enterprise 06-70-/bscope: - version: -

Trust: 0.6

vendor:hitachimodel:ucosminexus application server enterprise 06-70-/ascope: - version: -

Trust: 0.6

vendor:hitachimodel:ucosminexus application server enterprisescope:eqversion:06-70

Trust: 0.6

vendor:hitachimodel:ucosminexus service platformscope: - version: -

Trust: 0.6

vendor:hitachimodel:ucosminexus opentp1 web front-end setscope: - version: -

Trust: 0.6

vendor:hitachimodel:ucosminexus service architectscope: - version: -

Trust: 0.6

vendor:hitachimodel:ucosminexus collaboration portalscope:eqversion:server

Trust: 0.6

vendor:hitachimodel:ucosminexus/opentp1 web front-end setscope:eqversion:0

Trust: 0.3

vendor:hitachimodel:ucosminexus service platformscope:eqversion:0

Trust: 0.3

vendor:hitachimodel:ucosminexus service architectscope:eqversion:0

Trust: 0.3

vendor:hitachimodel:ucosminexus erp integratorscope:eqversion:0

Trust: 0.3

vendor:hitachimodel:ucosminexus developer standardscope:eqversion:0

Trust: 0.3

vendor:hitachimodel:ucosminexus developer professionalscope:eqversion:0

Trust: 0.3

vendor:hitachimodel:ucosminexus collaboration serverscope:eqversion:0

Trust: 0.3

vendor:hitachimodel:ucosminexus application server standard versionscope:eqversion:6

Trust: 0.3

vendor:hitachimodel:ucosminexus application server standardscope:eqversion:06-70

Trust: 0.3

vendor:hitachimodel:ucosminexus application server standardscope:eqversion:0

Trust: 0.3

vendor:hitachimodel:ucosminexus application server smart editionscope:eqversion:0

Trust: 0.3

vendor:hitachimodel:ucosminexus application server enterprise versionscope:eqversion:6

Trust: 0.3

vendor:hitachimodel:ucosminexus application server enterprise )scope:eqversion:09-80

Trust: 0.3

vendor:hitachimodel:groupmax collaboration serverscope:eqversion:0

Trust: 0.3

vendor:hitachimodel:electronic form workflow standard setscope:eqversion:0

Trust: 0.3

vendor:hitachimodel:electronic form workflow professional library setscope:eqversion:0

Trust: 0.3

vendor:hitachimodel:electronic form workflow developer client setscope:eqversion:0

Trust: 0.3

vendor:hitachimodel:cosminexus/opentp1 web front-end setscope:eqversion:0

Trust: 0.3

vendor:hitachimodel:cosminexus erp integratorscope:eqversion:0

Trust: 0.3

vendor:hitachimodel:cosminexus developer standardscope:eqversion:6

Trust: 0.3

vendor:hitachimodel:cosminexus developer professionalscope:eqversion:6

Trust: 0.3

vendor:hitachimodel:cosminexus developer lightscope:eqversion:6

Trust: 0.3

vendor:hitachimodel:cosminexus collaboration serverscope:eqversion:0

Trust: 0.3

vendor:hitachimodel:cosminexus application server standardscope:eqversion:6

Trust: 0.3

vendor:hitachimodel:cosminexus application server enterprisescope:eqversion:6

Trust: 0.3

sources: CNVD: CNVD-2007-4792 // BID: 25145 // JVNDB: JVNDB-2007-001133 // CNNVD: CNNVD-200708-002 // NVD: CVE-2007-4124

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2007-4124
value: MEDIUM

Trust: 1.0

IPA: JVNDB-2007-001133
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200708-002
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2007-4124
severity: MEDIUM
baseScore: 4.9
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 6.8
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

IPA: JVNDB-2007-001133
severity: MEDIUM
baseScore: 4.9
vectorString: AV:N/AC:M/AU:S/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

sources: JVNDB: JVNDB-2007-001133 // CNNVD: CNNVD-200708-002 // NVD: CVE-2007-4124

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2007-4124

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200708-002

TYPE

unknown

Trust: 0.6

sources: CNNVD: CNNVD-200708-002

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2007-001133

PATCH
title:HS07-024url:http://www.hitachi-support.com/security_e/vuls_e/HS07-024_e/index-e.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2007-001133

EXTERNAL IDS
db:NVDid:CVE-2007-4124
Trust: 3.3
db:BIDid:25145
Trust: 2.7
db:SECUNIAid:26250
Trust: 2.6
db:HITACHIid:HS07-024
Trust: 2.0
db:OSVDBid:37852
Trust: 1.6
db:VUPENid:ADV-2007-2725
Trust: 1.6
db:XFid:35706
Trust: 1.4
db:JVNDBid:JVNDB-2007-001133
Trust: 0.8
db:CNVDid:CNVD-2007-4792
Trust: 0.6
db:CNNVDid:CNNVD-200708-002
Trust: 0.6
db:PACKETSTORMid:58201
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2007-4792 // 
            
            
            
            BID: 25145 // 
            
            
            
            JVNDB: JVNDB-2007-001133 // 
            
            
            
            PACKETSTORM: 58201 // 
            
            
            
            CNNVD: CNNVD-200708-002 // 
            
            
            
            NVD: CVE-2007-4124

REFERENCES
url:http://secunia.com/advisories/26250
Trust: 2.4
url:http://www.securityfocus.com/bid/25145
Trust: 2.4
url:http://www.hitachi-support.com/security_e/vuls_e/hs07-024_e/index-e.html
Trust: 2.0
url:http://osvdb.org/37852
Trust: 1.6
url:http://www.frsirt.com/english/advisories/2007/2725
Trust: 1.4
url:http://xforce.iss.net/xforce/xfdb/35706
Trust: 1.4
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/35706
Trust: 1.0
url:http://www.vupen.com/english/advisories/2007/2725
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-4124
Trust: 0.8
url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2007-4124
Trust: 0.8
url:http://www.hds.com/products/storage-software/hitachi-device-manager.html
Trust: 0.3
url:http://secunia.com/product/13823/
Trust: 0.1
url:http://secunia.com/advisories/26250/
Trust: 0.1
url:http://secunia.com/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/product/5795/
Trust: 0.1
url:https://psi.secunia.com/
Trust: 0.1
url:http://secunia.com/product/13820/
Trust: 0.1
url:http://secunia.com/product/13821/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/about_secunia_advisories/
Trust: 0.1
url:http://secunia.com/product/13819/
Trust: 0.1
sources:
            
            
            BID: 25145 // 
            
            
            
            JVNDB: JVNDB-2007-001133 // 
            
            
            
            PACKETSTORM: 58201 // 
            
            
            
            CNNVD: CNNVD-200708-002 // 
            
            
            
            NVD: CVE-2007-4124

CREDITS
The vendor disclosed this issue.
Trust: 0.3
sources:
            
            
            BID: 25145

SOURCES
db:CNVDid:CNVD-2007-4792
db:BIDid:25145
db:JVNDBid:JVNDB-2007-001133
db:PACKETSTORMid:58201
db:CNNVDid:CNNVD-200708-002
db:NVDid:CVE-2007-4124

LAST UPDATE DATE
2024-11-23T22:19:44.222000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2007-4792date:2007-07-31T00:00:00
db:BIDid:25145date:2015-05-07T17:36:00
db:JVNDBid:JVNDB-2007-001133date:2008-05-21T00:00:00
db:CNNVDid:CNNVD-200708-002date:2007-08-02T00:00:00
db:NVDid:CVE-2007-4124date:2024-11-21T00:34:50.467

SOURCES RELEASE DATE
db:CNVDid:CNVD-2007-4792date:2007-07-31T00:00:00
db:BIDid:25145date:2007-07-31T00:00:00
db:JVNDBid:JVNDB-2007-001133date:2008-05-21T00:00:00
db:PACKETSTORMid:58201date:2007-08-01T00:35:42
db:CNNVDid:CNNVD-200708-002date:2007-08-01T00:00:00
db:NVDid:CVE-2007-4124date:2007-08-01T16:17:00