Published:2020/08/31  Last Updated:2020/08/31

JVN#06446084
CLUSTERPRO X and EXPRESSCLUSTER X vulnerable to XML external entity injection (XXE)

Overview

CLUSTERPRO X and EXPRESSCLUSTER X contain an XML external entity injection (XXE) vulnerability.

Products Affected

  • CLUSTERPRO X 4.2 for Windows and earlier
  • EXPRESSCLUSTER X 4.2 for Windows and earlier

Description

CLUSTERPRO X and EXPRESSCLUSTER X provided by NEC Corporation contain an XML external entity injection (XXE) vulnerability (CWE-611).

Impact

By reading a specially crafted XML files, an arbitrary file on the server may be read by the attacker.

Solution

Update the Software
The following updates are available. Update the software to the appropriate versions according to the information provided by the developer.

  • CLUSTERPRO X 4.1/X 4.2 for Windows update module (CPRO-XWA40-08)
  • EXPRESSCLUSTER X 4.1/X 4.2 for Windows update module (CPRO-XWA40-08E)
Apply a Workaround
Applying the following workarounds may mitigate the impacts of this vulnerability.
  • Enable access restriction by IP address
  • Enable access restriction by password
  • Enable connection by HTTPS

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Base Score: 5.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:L/Au:N/C:P/I:N/A:N
Base Score: 5.0
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

NEC Corporation reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and NEC Corporation coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-17408
JVN iPedia JVNDB-2020-000059