JVN#16318793
Ichitaro series vulnerable to arbitrary code execution
Critical
Overview
The "Ichitaro" series word processing software, from JustSystems Corporation contains a vulnerability that may allow arbitrary code execution.
This vulnerability differs from other issues that were previously published on JVN.
Products Affected
- Ichitaro 2014 Tetsu
- Ichitaro 2014 Tetsu Trial Edition
- Ichitaro 2013 Gen
- Ichitaro 2012 Shou
- Ichitaro 2011 Sou / Ichitaro 2011
- Ichitaro Pro 2
- Ichitaro Pro 2 Trial Edition
- Ichitaro Pro
- Ichitaro Government 7
- Ichitaro Government 6
- Ichitaro 2010, Ichitaro Government 2010
- Ichitaro 2009, Ichitaro Government 2009
- Ichitaro 2008, Ichitaro Government 2008
Description
The "Ichitaro" series word processing software, from JustSystems Corporation contains a vulnerability that may allow arbitrary code execution.
For more information, please refer to the developer's website.
Impact
When a user opens a specially crafted file, arbitrary code may be executed.
Solution
Update the software
Apply the appropriate update module according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| JustSystems Corporation | [JS14003] Vulnerability in Ichitaro may allow arbitrary code execution |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2014.11.13 (CVSS Base Metrics) Critical
| Measures | Severity | Description | ||
|---|---|---|---|---|
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) | A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed "remotely exploitable". |
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) | The access conditions are somewhat specialized. |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) | Authentication is not required to exploit the vulnerability. |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) | There is total information disclosure, resulting in all system files being revealed. |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) | There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the entire system being compromised. |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) | There is a total shutdown of the affected resource. |
Base Score:9.3
Credit
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2014-7247 |
| JVN iPedia |
JVNDB-2014-000131 |