Published:2020/08/31 Last Updated:2020/08/31
JVN#06446084
CLUSTERPRO X and EXPRESSCLUSTER X vulnerable to XML external entity injection (XXE)
Overview
CLUSTERPRO X and EXPRESSCLUSTER X contain an XML external entity injection (XXE) vulnerability.
Products Affected
- CLUSTERPRO X 4.2 for Windows and earlier
- EXPRESSCLUSTER X 4.2 for Windows and earlier
Description
CLUSTERPRO X and EXPRESSCLUSTER X provided by NEC Corporation contain an XML external entity injection (XXE) vulnerability (CWE-611).
Impact
By reading a specially crafted XML files, an arbitrary file on the server may be read by the attacker.
Solution
Update the Software
The following updates are available. Update the software to the appropriate versions according to the information provided by the developer.
- CLUSTERPRO X 4.1/X 4.2 for Windows update module (CPRO-XWA40-08)
- EXPRESSCLUSTER X 4.1/X 4.2 for Windows update module (CPRO-XWA40-08E)
Applying the following workarounds may mitigate the impacts of this vulnerability.
- Enable access restriction by IP address
- Enable access restriction by password
- Enable connection by HTTPS
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Base Score:
5.8
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
CVSS v2
AV:N/AC:L/Au:N/C:P/I:N/A:N
Base Score:
5.0
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
NEC Corporation reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and NEC Corporation coordinated under the Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2020-17408 |
| JVN iPedia |
JVNDB-2020-000059 |