Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0562
Vulnerabilities in Cosminexus HTTP Server and Hitachi Web Server
22 April 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Hitachi Cosminexus HTTP Server
Hitachi Web Server
Publisher: Hitachi
Operating System: AIX
HP-UX
Linux variants
Solaris
Windows
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-2566 CVE-2013-0169 CVE-2012-3499
Reference: ESB-2013.0161
Original Bulletin:
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-007/index.html
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-008/index.html
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-009/index.html
Comment: This bulletin contains three (3) Hitachi security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Cross-site Scripting Vulnerability in Cosminexus HTTP Server and Hitachi Web
Server
Update: April 19, 2013
A cross-site scripting vulnerability (CVE-2012-3499) exists in Cosminexus HTTP
Server and Hitachi Web Server.
Vulnerability ID
HS13-007
Vulnerability description
When Status Viewer is activated, a malicious script might also be added to the
responce to a client that is generated by Cosminexus HTTP Server and Hitachi
Web Server, and then be executed on the client.
By default, Status Viewer is not activated. When server-status handler is set
in SetHandler directive, and then Status Viewer is activated, this
vulnerability arises.
Affected products and versions are listed below. Please upgrade your version
to the appropriate version, or apply the Workarounds.
Affected products
The information is organized under the following headings:
(Example)
Product name: Gives the name of the affected product.
Version:
Platform
Gives the affected version.
Product name: Cosminexus HTTP Server
Version(s):
AIX, HP-UX(IPF), Linux(x64), Windows, Windows(x64)
09-00 to 09-00-06
Product name: Hitachi Web Server
Version(s):
AIX, HP-UX, HP-UX(IPF), Linux, Linux(IPF), Solaris, Solaris(x64), Windows,
Windows(x64)
04-00 to 04-00-07, 04-10 to 04-10-08, 04-20 to 04-20-05,
03-00 to 03-00-07, 03-10 to 03-10-12,
02-00 to 02-00-/C, 02-01 to 02-01-/A, 02-02 to 02-02-/B, 02-03 to 02-03-/B,
02-04 to 02-04-/I, 02-05, 02-06 to 02-06-/J,
01-00 to 01-02 (included all sub-revisions)
Product name: Hitachi Web Server - Custom Edition
Version(s):
Linux
02-06
Product name: Hitachi Web Server - Security Enhancement
Version(s):
HP-UX(IPF)
02-04 to 02-04-/I
This vulnerability exists in Cosminexus product, which bundles Cosminexus HTTP
Server or Hitachi Web Server. For details about the bundled version of
Cosminexus HTTP Server or Hitachi Web Server, and the fixed version of
Cosminexus product, contact your Hitachi support service representative.
- - Cosminexus V9
Product name: uCosminexus Developer
Product name: uCosminexus Application Server
Product name: uCosminexus Application Server(64)
Product name: uCosminexus Service Platform
Product name: uCosminexus Service Platform(64)
Product name: uCosminexus Service Architect
Product name: uCosminexus Application Server-R
Product name: uCosminexus Primary Server Base
Product name: uCosminexus Primary Server Base(64)
Version(s):
AIX, HP-UX(IPF), Linux(x64), Windows, Windows(x64)
09-00
- - Cosminexus V8
Product name: uCosminexus Application Server Express
Product name: uCosminexus Application Server Smart Edition
Product name: uCosminexus Developer 01
Product name: uCosminexus Application Server Standard
Product name: uCosminexus Application Server Enterprise
Product name: uCosminexus Service Platform
Product name: uCosminexus Service Architect
Product name: uCosminexus Developer Light
Product name: uCosminexus Application Server Standard-R
Product name: uCosminexus Developer Standard
Product name: uCosminexus Developer Professional
Product name: uCosminexus Primary Server Base
Product name: uCosminexus Developer Professional for Plug-in
Version(s):
AIX, HP-UX(IPF), Linux, Linux(IPF), Solaris, Solaris(x64), Windows,
Windows(x64)
08-00 to 08-70
- - Cosminexus V7
Product name: uCosminexus Developer Light
Product name: uCosminexus Application Server Standard
Product name: uCosminexus Developer Standard
Product name: uCosminexus Developer Professional
Product name: uCosminexus Application Server Enterprise
Product name: uCosminexus Application Server Smart Edition
Product name: uCosminexus Primary Server Base
Product name: uCosminexus Service Platform
Product name: uCosminexus Service Platform - Messaging
Product name: uCosminexus Service Architect
Version(s):
AIX, HP-UX, HP-UX(IPF), Linux, Linux(IPF), Solaris, Windows
07-00 to 07-60
- - Cosminexus V6.7
Product name: uCosminexus Developer Light
Product name: uCosminexus Developer Standard
Product name: uCosminexus Application Server Standard
Product name: uCosminexus Developer Professional
Product name: uCosminexus Application Server Enterprise
Version(s):
AIX, HP-UX, HP-UX(IPF), Linux, Linux(IPF), Solaris, Windows
06-70 to 06-72
- - Cosminexus V6.0, V6.5
Product name: Cosminexus Developer Light Version 6
Product name: Cosminexus Developer Standard Version 6
Product name: Cosminexus Primary Server Version 6
Product name: Cosminexus Application Server Standard Version 6
Product name: Cosminexus Developer Professional Version 6
Product name: Cosminexus Application Server Enterprise Version 6
Product name: Cosminexus Primary Server Base Version 6
Product name: uCosminexus Primary Server Base
Version(s):
AIX, HP-UX, HP-UX(IPF), Linux, Linux(IPF), Solaris, Windows
06-00 to 06-51
- - Cosminexus V5.0, V5.5
Product name: Cosminexus Application Server Version 5
Product name: Cosminexus Developer Version 5
Version(s):
AIX, HP-UX, Linux, Solaris, Windows
05-00 to 05-05
Fixed products
The information is organized under the following headings:
(Example)
Product name: Gives the name of the fixed product.
Version:
Platform
Gives the fixed version, and release date.
Scheduled version:
Platform
Gives the fixed version scheduled to be released.
Product name: Cosminexus HTTP Server
Scheduled version(s):
Product name: Hitachi Web Server
Scheduled version(s):
For details on the fixed products, contact your Hitachi support service
representative.
Workarounds
For details about the workarounds, contact your Hitachi support service
representative.
Revision history
April 19, 2013: This page is released.
Hitachi, Ltd. (hereinafter referred to as "Hitachi") tries to provide
accurate information about security countermeasures. However, since
information about security problems constantly changes, the contents of these
Web pages are subject to change without prior notice. When referencing
information, please confirm that you are referencing the latest information.
The Web pages include information about products that are developed by
non-Hitachi software developers. Vulnerability information about those
products is based on the information provided or disclosed by those
developers. Although Hitachi is careful about the accuracy and completeness of
this information, the contents of the Web pages may change depending on the
changes made by the developers.
The Web pages are intended to provide vulnerability information only, and
Hitachi shall not have any legal responsibility for the information contained
in them. Hitachi shall not be liable for any consequences arising out of or in
connection with the security countermeasures or other actions that you will
take or have taken (or not taken) by yourself. The links to other web sites
are valid at the time of the release of the page. Although Hitachi makes an
effort to maintain the links, Hitachi cannot guarantee their permanent
availability.
- -------------------------------------------------------------------------------
Vulnerability about SSL Encryption in Cosminexus HTTP Server and Hitachi Web
Server
Update: April 19, 2013
A vulnerability about SSL encryption (CVE-2013-0169, also known as the Lucky
Thirteen issue) exists in Cosminexus HTTP Server and Hitachi Web Server.
Vulnerability ID
HS13-008
Vulnerability description
During SSL prosessing using below encryption types, remote attackers might
conduct distinguishing attacks and plaintext-recovery attacks.
DES-CBC-MD5
DES-CBC-SHA
RC2-CBC-MD5
DES-CBC3-MD5
DES-CBC3-SHA
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-DES-56-SHA
AES128-SHA
AES256-SHA
AES128-SHA256
AES256-SHA256
Affected products and versions are listed below. When the appropriate version
is released, please upgrade your version immediately.
Affected products
The information is organized under the following headings:
(Example)
Product name: Gives the name of the affected product.
Version:
Platform
Gives the affected version.
Product name: Cosminexus HTTP Server
Version(s):
AIX, HP-UX(IPF), Linux(x64), Windows, Windows(x64)
09-00 to 09-00-06
Product name: Hitachi Web Server
Version(s):
AIX, HP-UX, HP-UX(IPF), Linux, Linux(IPF), Solaris, Solaris(x64), Windows,
Windows(x64)
04-00 to 04-00-07, 04-10 to 04-10-08, 04-20 to 04-20-05,
03-00 to 03-00-07, 03-10 to 03-10-12,
02-00 to 02-00-/C, 02-01 to 02-01-/A, 02-02 to 02-02-/B, 02-03 to 02-03-/B,
02-04 to 02-04-/I, 02-05, 02-06 to 02-06-/J,
01-00 to 01-02 (included all sub-revisions)
Product name: Hitachi Web Server - Security Enhancement
Version(s):
HP-UX(IPF)
02-04 to 02-04-/I
This vulnerability exists in Cosminexus product, which bundles Cosminexus HTTP
Server or Hitachi Web Server. For details about the bundled version of
Cosminexus HTTP Server or Hitachi Web Server, and the fixed version of
Cosminexus product, contact your Hitachi support service representative.
- - Cosminexus V9
Product name: uCosminexus Developer
Product name: uCosminexus Application Server
Product name: uCosminexus Application Server(64)
Product name: uCosminexus Service Platform
Product name: uCosminexus Service Platform(64)
Product name: uCosminexus Service Architect
Product name: uCosminexus Application Server-R
Product name: uCosminexus Primary Server Base
Product name: uCosminexus Primary Server Base(64)
Version(s):
AIX, HP-UX(IPF), Linux(x64), Windows, Windows(x64)
09-00
- - Cosminexus V8
Product name: uCosminexus Application Server Express
Product name: uCosminexus Application Server Smart Edition
Product name: uCosminexus Developer 01
Product name: uCosminexus Application Server Standard
Product name: uCosminexus Application Server Enterprise
Product name: uCosminexus Service Platform
Product name: uCosminexus Service Architect
Product name: uCosminexus Application Server Standard-R
Product name: uCosminexus Developer Standard
Product name: uCosminexus Developer Professional
Product name: uCosminexus Primary Server Base
Product name: uCosminexus Developer Professional for Plug-in
Version(s):
AIX, HP-UX(IPF), Linux, Linux(IPF), Solaris, Solaris(x64), Windows,
Windows(x64)
08-00 to 08-70
- - Cosminexus V7
Product name: uCosminexus Application Server Standard
Product name: uCosminexus Developer Standard
Product name: uCosminexus Developer Professional
Product name: uCosminexus Application Server Enterprise
Product name: uCosminexus Application Server Smart Edition
Product name: uCosminexus Primary Server Base
Product name: uCosminexus Service Platform
Product name: uCosminexus Service Platform - Messaging
Product name: uCosminexus Service Architect
Version(s):
AIX, HP-UX, HP-UX(IPF), Linux, Linux(IPF), Solaris, Windows
07-00 to 07-60
- - Cosminexus V6.7
Product name: uCosminexus Developer Light
Product name: uCosminexus Developer Standard
Product name: uCosminexus Application Server Standard
Product name: uCosminexus Developer Professional
Product name: uCosminexus Application Server Enterprise
Version(s):
AIX, HP-UX, HP-UX(IPF), Linux, Linux(IPF), Solaris, Windows
06-70 to 06-72
- - Cosminexus V6.0, V6.5
Product name: Cosminexus Developer Light Version 6
Product name: Cosminexus Developer Standard Version 6
Product name: Cosminexus Primary Server Version 6
Product name: Cosminexus Application Server Standard Version 6
Product name: Cosminexus Developer Professional Version 6
Product name: Cosminexus Application Server Enterprise Version 6
Product name: Cosminexus Primary Server Base Version 6
Product name: uCosminexus Primary Server Base
Version(s):
AIX, HP-UX, HP-UX(IPF), Linux, Linux(IPF), Solaris, Windows
06-00 to 06-51
- - Cosminexus V5.0, V5.5
Product name: Cosminexus Application Server Version 5
Product name: Cosminexus Developer Version 5
Version(s):
AIX, HP-UX, Linux, Solaris, Windows
05-00 to 05-05
Fixed products
The information is organized under the following headings:
(Example)
Product name: Gives the name of the fixed product.
Version:
Platform
Gives the fixed version, and release date.
Scheduled version:
Platform
Gives the fixed version scheduled to be released.
Product name: Cosminexus HTTP Server
Scheduled version(s):
Product name: Hitachi Web Server
Scheduled version(s):
For details on the fixed products, contact your Hitachi support service representative.
Revision history
April 19, 2013: This page is released.
Hitachi, Ltd. (hereinafter referred to as "Hitachi") tries to provide
accurate information about security countermeasures. However, since
information about security problems constantly changes, the contents of these
Web pages are subject to change without prior notice. When referencing
information, please confirm that you are referencing the latest information.
The Web pages include information about products that are developed by
non-Hitachi software developers. Vulnerability information about those
products is based on the information provided or disclosed by those
developers. Although Hitachi is careful about the accuracy and completeness of
this information, the contents of the Web pages may change depending on the
changes made by the developers.
The Web pages are intended to provide vulnerability information only, and
Hitachi shall not have any legal responsibility for the information contained
in them. Hitachi shall not be liable for any consequences arising out of or in
connection with the security countermeasures or other actions that you will
take or have taken (or not taken) by yourself. The links to other web sites
are valid at the time of the release of the page. Although Hitachi makes an
effort to maintain the links, Hitachi cannot guarantee their permanent
availability.
- -------------------------------------------------------------------------------
Vulnerability about SSL Encryption in Cosminexus HTTP Server and Hitachi Web
Server
Update: April 19, 2013
A vulnerability about SSL encryption (CVE-2013-2566) exists in Cosminexus HTTP
Server and Hitachi Web Server.
Vulnerability ID
HS13-009
Vulnerability description
During SSL prosessing, remote attackers might conduct plaintext-recovery
attacks.
Affected products and versions are listed below. Please apply the
Countermeasures.
Affected products
The information is organized under the following headings:
(Example)
Product name: Gives the name of the affected product.
Version:
Platform
Gives the affected version.
Product name: Cosminexus HTTP Server
Version(s):
AIX, HP-UX(IPF), Linux(x64), Windows, Windows(x64)
All versions
Product name: Hitachi Web Server
Version(s):
AIX, HP-UX, HP-UX(IPF), Linux, Linux(IPF), Solaris, Solaris(x64), Windows,
Windows(x64)
All versions
Product name: Hitachi Web Server - Security Enhancement
Version(s):
HP-UX(IPF)
All versions
This vulnerability exists in Cosminexus product, which bundles Cosminexus HTTP
Server or Hitachi Web Server. For details about the bundled version of
Cosminexus HTTP Server or Hitachi Web Server, contact your Hitachi support
service representative.
- - Cosminexus V9
Product name: uCosminexus Developer
Product name: uCosminexus Application Server
Product name: uCosminexus Application Server(64)
Product name: uCosminexus Service Platform
Product name: uCosminexus Service Platform(64)
Product name: uCosminexus Service Architect
Product name: uCosminexus Application Server-R
Product name: uCosminexus Primary Server Base
Product name: uCosminexus Primary Server Base(64)
Version(s):
AIX, HP-UX(IPF), Linux(x64), Windows, Windows(x64)
All versions
- - Cosminexus V8
Product name: uCosminexus Application Server Express
Product name: uCosminexus Application Server Smart Edition
Product name: uCosminexus Developer 01
Product name: uCosminexus Application Server Standard
Product name: uCosminexus Application Server Enterprise
Product name: uCosminexus Service Platform
Product name: uCosminexus Service Architect
Product name: uCosminexus Application Server Standard-R
Product name: uCosminexus Developer Standard
Product name: uCosminexus Developer Professional
Product name: uCosminexus Primary Server Base
Product name: uCosminexus Developer Professional for Plug-in
Version(s):
AIX, HP-UX(IPF), Linux, Linux(IPF), Solaris, Solaris(x64), Windows,
Windows(x64)
All versions
- - Cosminexus V7
Product name: uCosminexus Application Server Standard
Product name: uCosminexus Developer Standard
Product name: uCosminexus Developer Professional
Product name: uCosminexus Application Server Enterprise
Product name: uCosminexus Application Server Smart Edition
Product name: uCosminexus Primary Server Base
Product name: uCosminexus Service Platform
Product name: uCosminexus Service Platform - Messaging
Product name: uCosminexus Service Architect
Version(s):
AIX, HP-UX, HP-UX(IPF), Linux, Linux(IPF), Solaris, Windows
All versions
- - Cosminexus V6.7
Product name: uCosminexus Developer Light
Product name: uCosminexus Developer Standard
Product name: uCosminexus Application Server Standard
Product name: uCosminexus Developer Professional
Product name: uCosminexus Application Server Enterprise
Version(s):
AIX, HP-UX, HP-UX(IPF), Linux, Linux(IPF), Solaris, Windows
All versions
- - Cosminexus V6.0, V6.5
Product name: Cosminexus Developer Light Version 6
Product name: Cosminexus Developer Standard Version 6
Product name: Cosminexus Primary Server Version 6
Product name: Cosminexus Application Server Standard Version 6
Product name: Cosminexus Developer Professional Version 6
Product name: Cosminexus Application Server Enterprise Version 6
Product name: Cosminexus Primary Server Base Version 6
Product name: uCosminexus Primary Server Base
Version(s):
AIX, HP-UX, HP-UX(IPF), Linux, Linux(IPF), Solaris, Windows
All versions
- - Cosminexus V5.0, V5.5
Product name: Cosminexus Application Server Version 5
Product name: Cosminexus Developer Version 5
Version(s):
AIX, HP-UX, Linux, Solaris, Windows
All versions
Countermeasures
Please assign below encryption types to SSLBanCipher directive.
EXP-RC4-MD5
EXP-RC4-56-SHA
RC4-MD5
RC4-SHA
Revision history
April 19, 2013: This page is released.
Hitachi, Ltd. (hereinafter referred to as "Hitachi") tries to provide
accurate information about security countermeasures. However, since
information about security problems constantly changes, the contents of these
Web pages are subject to change without prior notice. When referencing
information, please confirm that you are referencing the latest information.
The Web pages include information about products that are developed by
non-Hitachi software developers. Vulnerability information about those
products is based on the information provided or disclosed by those
developers. Although Hitachi is careful about the accuracy and completeness of
this information, the contents of the Web pages may change depending on the
changes made by the developers.
The Web pages are intended to provide vulnerability information only, and
Hitachi shall not have any legal responsibility for the information contained
in them. Hitachi shall not be liable for any consequences arising out of or in
connection with the security countermeasures or other actions that you will
take or have taken (or not taken) by yourself. The links to other web sites
are valid at the time of the release of the page. Although Hitachi makes an
effort to maintain the links, Hitachi cannot guarantee their permanent
availability.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUXTGv+4yVqjM2NGpAQIQ0w/7B29LOJRdzb3fV5agpWJX9zUBK/koWqDQ
GZ1dr3T9W5L7zFzMrtp/M41FFOIA1+HJJ47dXqRsNB/KAcJ0bXRiyPelwRPMe1gr
lyhRTA4JDWzSnSnc1onr/Cfyy0Tzq5WLXOQwQ3UE1TUmZzwTod+ReGMa6tmeGJ4p
QMtU/KI76ct0yZyrcWQID+x+X4TJJ9CI7mMQFABQbJLjAiPco9ZJmQ56FJHh/vlD
IpplOD0Bbab1nAD/n/o2DFWKAvYWBEidrjGOorhjGXYaN/sgUH8qYP/PbPHHKNZn
qqJSecYUgdVZYypSOjcVAzgOq+xJkfXKAjRiNwkcO508HUh8AubhsnYVhzObreMy
HPs48efvpUhgdBapUHSBVdvt/y4Pi8T3mco4Ug2qZYP6/NLezNXORerxAevhaOJp
oZqqHXp9sD/hSA0B82X+zOTJkPHkn2MRTzHLrgHyo0QfE63slm3enrIi8HJrCAxK
kdH/AyQsF3m9kC3VEk5Di9OGHiTLQIgfKDhfQN/MB4sEQj4hX/9VviCTcYJ/QFSz
inCPksOFk5WNpRH7ucclSjGIhUZhjIyTCDzwLp+yYNOfQ3gcgMca7ZZUz/OXBylq
WSMAXsvkgjsCC4XwoFCBgIS1sYuqiJQtT4CyDZY+x579uR3JPz2vu8o41ckHPHrR
6bxKrQovpL0=
=UE7s
-----END PGP SIGNATURE-----