JVN#13566542
Cybozu Remote Service Manager vulnerable to denial-of-service (DoS)
Overview
Remote Service Manager contains a denial-of-service (DoS) vulnerability.
Products Affected
- Remote Service Manager 2.3.0 and earlier
- Remote Service Manager 3.1.2 and earlier
Description
Remote Service Manager provided by Cybozu, Inc. is a software to access internal systems such as Cybozu products via "Cybozu Remote Service". Remote Service Manager contains a denial-of-service (DoS) vulnerability.
Note that this vulnerability was caused due to an incomplete fix of JVN#10319260.
Impact
An attacker may cause a denial-of-service (DoS) condition for a server that is running Remote Service Manager. As a result, "Cybozu Remote Service" may be disrupted.
Solution
For Remote Service Manager 3.1.2:
Change the settings
Change the settings file (server.xml), according to the instructions provided by the developer.
For Remote Service Manager 3.1.1 and earlier:
Update the software and change the settings
Apply the update and change the settings file (server.xml), according to the instructions provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Cybozu, Inc. | Vulnerable | 2015/01/30 | Cybozu, Inc. website |
References
-
Japan Vulnerability Notes JVN#10319260
Cybozu Remote Service Manager vulnerable to denial-of-service (DoS)
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2015.01.30 (CVSS Base Metrics)
| Measures | Severity | Description | ||
|---|---|---|---|---|
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) | A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed "remotely exploitable". |
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) | The access conditions are somewhat specialized. |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) | Authentication is not required to exploit the vulnerability. |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) | There is no impact to the confidentiality of the system. |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) | There is no impact to the integrity of the system. |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) | There is a total shutdown of the affected resource. |
Base Score:7.1
Credit
Cybozu, Inc. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
JPCERT/CC and Cybozu, Inc. coordinated under the Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2014-7266 |
| JVN iPedia |
JVNDB-2015-000001 |