Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2013.0023
Multiple Vulnerabilities in Hitachi Tuning Manager and
JP1/Performance Management
20 February 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Hitachi Tuning Manager
JP1/Performance Management
Operating System: Windows
Solaris
Linux variants
HP-UX
AIX
Impact/Access: Cross-site Scripting -- Existing Account
Cross-site Request Forgery -- Existing Account
Resolution: Patch/Upgrade
Member content until: Thursday, March 21 2013
OVERVIEW
Multiple vulnerabilities have been identified in Hitachi Tuning
Manager, JP1/Performance Management - Web Console, and JP1/Performance
Management - Manager Web Option. [1]
IMPACT
The vendor has provided the following details regarding these
vulnerabilities:
"Cross-site scripting and cross-site request forgery vulnerabilities
were found in Hitachi Tuning Manager, JP1/Performance Management - Web
Console, and JP1/Performance Management - Manager Web Option. These
vulnerabilities allow users to add malicious scripts to web pages of
these products.
These vulnerabilities can not be exploited, unless logging in these
products." [1]
MITIGATION
The vendor recommends upgrading to the latest appropriate version to
correct this issue. [1]
REFERENCES
[1] Multiple Vulnerabilities in Hitachi Tuning Manager, JP1/Performance
Management - Web Console, and JP1/Performance Management - Manager
Web Option
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-003/index.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUSRRgO4yVqjM2NGpAQLNCQ/9FHIu5n9R9caxNiaKJ7I/l2sQiYMAc9CC
DGvotceTTxZCz/15i3lJP2wgzih6aivSd1j9RCtil1m9wKU9haRHoY8r67tkIpRO
wR2cBakzJGMOSibC+nyAA1dzvHZ1YFEE9Vq19/PWRwcvj6BDEhYiBDf10RieiG/Y
Zw6yyD8N+9lXINgXlNnx/b56s6tCO9M684TQRZRje6s7OglBsUa5icUitM4h9dkv
nwS7iqrc7xqbMxuHvepjA9qkcOqF/yY5hzDeAjrzcPU+FB9nPeoiLfe/9tzjXXyw
hYdMYemvDamDZXRw0T0QYJ22zNh2NEkNEyXqGrsT4331tOvT06o80UIyWM5PQn4a
tGFgLxHaLdSC6ERJezjBER6xmnVhMpU7WQ2A/21VZwXwHEfOxg5DszCx3Zn5PpXW
P5h/TJD5a7EPtgGKiAOmWUOQXAnnwAaw2ghZ0QoO9DfI35JA/cUTHHdBdY24K/Lc
X40LPeA+Gvi+S3LeUdNu4ixp/9wsNcEeMCKIny0UVpfnPQqZ0LNX1hK000011Xd9
CpQgsT+89isND43ch4X3gTsFvwPBCnHsG7lygCAagrd6JPuvl7N9nv/9aqfgWNSD
hatw+OssYqmMgMUsrsAHg4C+5pas4qAKiurUBGolOIDloQnGoOu9Y1hWTIm6lAzW
gRQJjZLsQZA=
=YQ5e
-----END PGP SIGNATURE-----