-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.0463
      Vulnerability in Cosminexus HTTP Server and Hitachi Web Server
                             17 February 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cosminexus HTTP Server
                   Hitachi Web Server
Publisher:         Hitachi
Operating System:  HP-UX
                   AIX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-6816 CVE-2016-0887 CVE-2016-0762

Reference:         ESB-2016.2116
                   ESB-2016.0911

Original Bulletin: 
   http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2017-108/index.html

Comment: This bulletin contains three (3) Hitachi security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerability in Cosminexus

Update: February 17, 2017

A vulnerability (CVE-2016-0762) exists in Cosminexus.

Security Information ID

hitachi-sec-2017-106

Vulnerability description

A vulnerability (CVE-2016-0762) exists in Cosminexus Component Container.

Affected products and versions are listed below. Please upgrade your version 
to the appropriate version, or apply the Workarounds.

This vulnerability exists in Cosminexus Component Container which is a 
component product of other Hitachi products.

For details about the fixed version about Cosminexus products, contact your 
Hitachi support service representative.

Affected products

The information is organized under the following headings: (Example)

Product name: Gives the name of the affected product.

Version:

Platform: Gives the affected version.

- - Cosminexus V5, V6, V7, V8, V9

Product name: Cosminexus Application Server Version 5

Product name: Cosminexus Application Server Enterprise Version 6

Product name: Cosminexus Application Server Standard Version 6

Product name: Cosminexus Developer Version 5

Product name: Cosminexus Primary Server Base Version 5

Product name: Cosminexus Studio Light Version

Product name: Cosminexus Developer Light Version 6

Product name: Cosminexus Developer Standard Version 6

Product name: Cosminexus Developer Professional Version 6

Product name: Cosminexus Primary Server Base Version 6

Product name: Cosminexus Primary Server Version 6

Product name: Embedded Cosminexus Server Version 5

Product name: uCosminexus Application Server

Product name: uCosminexus Application Server-R

Product name: uCosminexus Application Server(64)

Product name: uCosminexus Application Server Enterprise

Product name: uCosminexus Application Server Express

Product name: uCosminexus Application Server Light

Product name: uCosminexus Application Server Smart Edition

Product name: uCosminexus Application Server Standard-R

Product name: uCosminexus Application Server Standard

Product name: uCosminexus Developer

Product name: uCosminexus Developer Light

Product name: uCosminexus Developer Professional

Product name: uCosminexus Developer Professional for ATM

Product name: uCosminexus Developer Professional for Plug-in

Product name: uCosminexus Developer Standard

Product name: uCosminexus Developer 01

Product name: uCosminexus Primary Server Base

Product name: uCosminexus Primary Server Base(64)

Product name: uCosminexus Service Architect

Product name: uCosminexus Service Platform

Product name: uCosminexus Service Platform - Messaging

Product name: uCosminexus Service Platform(64)

Product name: uCosminexus Primary Server Base

Version(s):

Windows

05-00 to 09-70

Windows(x64)

08-50 to 09-71

Windows(IPF)

06-00 to 06-70

AIX

05-00 to 09-70

HP-UX(PA-RISC)

05-00 to 07-10

HP-UX(IPF)

06-00 to 09-50

Linux(x86)

05-05 to 08-70

Linux(x64)

07-50 to 09-71

Linux(IPF)

06-00 to 08-50

Solaris(SPARC)

05-05 to 08-20

Solaris(x64)

08-20

Fixed products

The information is organized under the following headings:

(Example) Product name: Gives the name of the fixed product.

Version:

Platform

Gives the fixed version, and release date.

Scheduled version:

Platform

Gives the fixed version scheduled to be released.

Product name: Cosminexus Component Container

Version(s):

Windows

09-00-14 January 31, 2017

Windows(x64)

09-00-14 January 31, 2017

AIX

09-00-14 January 31, 2017

HP-UX(IPF)

09-00-14 January 31, 2017

Linux(x64)

09-00-14 January 31, 2017

For details on the fixed products, contact your Hitachi support service 
representative.

Workarounds

For details about the workarounds, contact your Hitachi support service 
representative.

Revision history

February 17, 2017

This page is released.

======================================================================

Vulnerability in Cosminexus

Update: February 17, 2017

A vulnerability (CVE-2016-6816) exists in Cosminexus.

Security Information ID

hitachi-sec-2017-107

Vulnerability description

A vulnerability (CVE-2016-6816) exists in Cosminexus Component Container.

Affected products and versions are listed below. Please upgrade your version 
to the appropriate version.

This vulnerability exists in Cosminexus Component Container which is a 
component product of other Hitachi products.

For details about the fixed version about Cosminexus products, contact your 
Hitachi support service representative.

Affected products

The information is organized under the following headings:

(Example)

Product name: Gives the name of the affected product.

Version:

Platform

Gives the affected version.

- - Cosminexus V5, V6, V7, V8, V9

Product name: Cosminexus Application Server Version 5

Product name: Cosminexus Application Server Enterprise Version 6

Product name: Cosminexus Application Server Standard Version 6

Product name: Cosminexus Developer Version 5

Product name: Cosminexus Primary Server Base Version 5

Product name: Cosminexus Studio Light Version

Product name: Cosminexus Developer Light Version 6

Product name: Cosminexus Developer Standard Version 6

Product name: Cosminexus Developer Professional Version 6

Product name: Cosminexus Primary Server Base Version 6

Product name: Cosminexus Primary Server Version 6

Product name: Embedded Cosminexus Server Version 5

Product name: uCosminexus Application Server

Product name: uCosminexus Application Server-R

Product name: uCosminexus Application Server(64)

Product name: uCosminexus Application Server Enterprise

Product name: uCosminexus Application Server Express

Product name: uCosminexus Application Server Light

Product name: uCosminexus Application Server Smart Edition

Product name: uCosminexus Application Server Standard-R

Product name: uCosminexus Application Server Standard

Product name: uCosminexus Developer

Product name: uCosminexus Developer Light

Product name: uCosminexus Developer Professional

Product name: uCosminexus Developer Professional for ATM

Product name: uCosminexus Developer Professional for Plug-in

Product name: uCosminexus Developer Standard

Product name: uCosminexus Developer 01

Product name: uCosminexus Primary Server Base

Product name: uCosminexus Primary Server Base(64)

Product name: uCosminexus Service Architect

Product name: uCosminexus Service Platform

Product name: uCosminexus Service Platform - Messaging

Product name: uCosminexus Service Platform(64)

Product name: uCosminexus Primary Server Base

Version(s):

Windows

05-00 to 09-70

Windows(x64)

08-50 to 09-71

Windows(IPF)

06-00 to 06-70

AIX

05-00 to 09-70

HP-UX(PA-RISC)

05-00 to 07-10

HP-UX(IPF)

06-00 to 09-50

Linux(x86)

05-05 to 08-70

Linux(x64)

07-50 to 09-71

Linux(IPF)

06-00 to 08-50

Solaris(SPARC)

05-05 to 08-20

Solaris(x64)

08-20

Fixed products

The information is organized under the following headings:

(Example)

Product name: Gives the name of the fixed product.

Version:

Platform

Gives the fixed version, and release date.

Scheduled version:

Platform

Gives the fixed version scheduled to be released.

Product name: Cosminexus Component Container

Version(s):

Windows

09-00-14 January 31, 2017

Windows(x64)

09-00-14 January 31, 2017

AIX

09-00-14 January 31, 2017

HP-UX(IPF)

09-00-14 January 31, 2017

Linux(x64)

09-00-14 January 31, 2017

For details on the fixed products, contact your Hitachi support service 
representative.

Revision history

February 17, 2017

This page is released.

======================================================================

Vulnerability in Cosminexus HTTP Server and Hitachi Web Server

Update: February 17, 2017

A vulnerability (CVE-2016-0887) exists in Cosminexus HTTP Server and Hitachi 
Web Server.

Security Information ID: hitachi-sec-2017-108

Vulnerability description

A vulnerability (CVE-2016-0887) exists in Cosminexus HTTP Server and Hitachi 
Web Server.

Affected products and versions are listed below. Please upgrade your version 
to the appropriate version.

This problem occurs only if the SSL function is being used.

Affected products

The information is organized under the following headings: (Example)

Product name: Gives the name of the affected product.

Version:

Platform

Gives the affected version.

Product name: Cosminexus HTTP Server

Version(s):

AIX, HP-UX(IPF), Linux(x64), Windows, Windows(x64)

09-65 to 09-65-02, 09-00 to 09-00-16

Product name: Hitachi Web Server

Version(s):

AIX, HP-UX, HP-UX(IPF), Linux, Linux(IPF), Solaris, Solaris(x64), Windows, 
Windows(x64)

04-00 to 04-20-08(*1), 03-00 to 03-10-15(*1), 01-00 to 02-06-/F(*1)

Product name: Hitachi Web Server

Version(s):

AIX, Linux(x64), Windows, Windows(x64)

10-00 to 10-11-01

*1 Please upgrade to a later product version.

These vulnerabilities exist in Cosminexus HTTP Server and Hitachi Web Server 
which is a component product of other Hitachi products.

For details about the fixed version about Cosminexus products, contact your 
Hitachi support service representative.

- - Cosminexus V5, V6, V7, V8, V9

Product name: uCosminexus Application Server

Product name: uCosminexus Application Server Enterprise

Product name: uCosminexus Application Server Express

Product name: uCosminexus Application Server Smart Edition

Product name: uCosminexus Application Server Standard

Product name: uCosminexus Application Server Standard-R

Product name: uCosminexus Application Server(64)

Product name: uCosminexus Application Server-R

Product name: uCosminexus Developer

Product name: uCosminexus Developer 01

Product name: uCosminexus Developer Light

Product name: uCosminexus Developer Professional

Product name: uCosminexus Developer Professional for Plug-in

Product name: uCosminexus Developer Standard Product name: uCosminexus Primary
Server Base

Product name: uCosminexus Primary Server Base(64)

Product name: uCosminexus Service Architect

Product name: uCosminexus Service Platform

Product name: uCosminexus Service Platform - Messaging

Product name: uCosminexus Service Platform(64)

Version(s):

AIX, HP-UX(IPF), Linux(x64), Windows, Windows(x64) 05-00 to 09-71

- - Hitachi Application Server Product name: Hitachi Application Server Product
name: Hitachi Application Server for Developers

Version(s):

AIX, Linux(x64), Windows, Windows(x64) 10-00 to 10-11

Fixed products

The information is organized under the following headings: (Example) Product 
name: Gives the name of the fixed product.

Version:

Platform Gives the fixed version, and release date.

Scheduled version:

Platform Gives the fixed version scheduled to be released.

Product name: Cosminexus HTTP Server

Version(s):

Linux(x64) 09-65-50 October 3, 2016 Windows 09-00-51 December 1, 2016 
Windows(x64) 09-00-51 January 26, 2017

Product name: Hitachi Web Server

Scheduled version(s):

For details on the fixed products, contact your Hitachi support service 
representative.

Revision history

February 17, 2017 This page is released.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWKZwyYx+lLeg9Ub1AQgYLg//dASvtFIFBYLs2UphrjvSkidyXgT9K3D1
wFPi7ieEtiPzw760v8bAtkj5b4B8c4CB5xZB1mCW5Xld9MC4udvoi1UVrJaBkXBy
90vXLQW/VhZlob9HRjln18DDYm5KGGNEXYvxiwc5jgR5jhv0xZuBBivyFkIzDvC3
DYbH1hPgkECH7dCNNe6DNBfVrdwXREznDpuiAoPZYY98yXYXy3kyw5fmwkCqwrha
83v7Xa5otbA3QpexgHE+kIp7w41GvfwqmRneSKY60WSK15m01RbCoz07DwgqmvgQ
oElPhodJHdn9GRnwD3MykLhH9Srl93UlCfccZQetoHOA+H5xYiAALVJzSXFvgkWS
z2UQU43dFpz6cm/h957UcYuF3i99234s2R3uRgvFX6eovPTyM4ZHQcGXfTBJdy6j
3tDn/MLLaT3yo/nVM2LfLKvTo8UIDnKbrvxahFXDnq38odAfaxdoK5uf6J5JVVeQ
q1HlRqOMtdNZ3LrKWwDhx+x3Nt0shakAPpsTIy3F0bvYnz6J4UMJ8Jo5BYYXW7yz
qGnpJCLiEn/c4x2BTDjiXI3eMGE4gv1tgsjP2EfsCrqbNq2TNnG9coptO9rnvjKn
nJ2QP8gB01zdmikkho1rmHboV7XxlMMeUidosMUct9SrA5DueGud1G3oft4Wuq77
WZhZh5N6oAE=
=jJgn
-----END PGP SIGNATURE-----