Published:2021/10/29  Last Updated:2021/11/10

JVN#69304877
Multiple vulnerabilities in CLUSTERPRO X and EXPRESSCLUSTER X

Overview

CLUSTERPRO X and EXPRESSCLUSTER X provided by NEC Corporation contain multiple vulnerabilities.

Products Affected

  • CLUSTERPRO X 1.0 for Windows and later
  • EXPRESSCLUSTER X 1.0 for Windows and later
  • CLUSTERPRO X 1.0 SingleServerSafe for Windows and later
  • EXPRESSCLUSTER X 1.0 SingleServerSafe for Windows and later

Description

CLUSTERPRO X and EXPRESSCLUSTER X provided by NEC Corporation contain multiple vulnerabilities listed below.

  • Buffer overflow in the Disk Agent (CWE-119) - CVE-2021-20700、CVE-2021-20701
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8
    CVSS v2 AV:N/AC:L/Au:N/C:C/I:C/A:C Base Score: 10.0
  • Buffer overflow in the Transaction Server (CWE-119) - CVE-2021-20702、CVE-2021-20703
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8
    CVSS v2 AV:N/AC:L/Au:N/C:C/I:C/A:C Base Score: 10.0
  • Buffer overflow in the compatible API with previous versions (Ver 8.0 and earlier) (CWE-119) - CVE-2021-20704
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8
    CVSS v2 AV:N/AC:L/Au:N/C:C/I:C/A:C Base Score: 10.0
  • Remote file upload in the WebManager (CWE-20) - CVE-2021-20705、CVE-2021-20706
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Base Score: 7.5
    CVSS v2 AV:N/AC:L/Au:N/C:N/I:C/A:N Base Score: 7.8
  • Read files in the Transaction Server (CWE-20) - CVE-2021-20707
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score: 7.5
    CVSS v2 AV:N/AC:L/Au:N/C:C/I:N/A:N Base Score: 7.8

Impact

  • Receiving a specially crafted packet sent by a remote attacker may allow arbitrary code execution  - CVE-2021-20700, CVE-2021-20701, CVE-2021-20702, CVE-2021-20703, CVE-2021-20704
  • A specially crafted upload request sent by a remote attacker may be accepted - CVE-2021-20705, CVE-2021-20706
  • Receiving specially crafted packet sent by a remote attacker may allow an arbitrary file being read - CVE-2021-20707

Solution

As of 2021 October 29, NEC Corporation has not yet released the patches or updates containing fixes for these vulnerabilities.
According to the developer, patches for these vulnerabilities will be released by the end of November 2021.

Apply Workarounds
Apply the following workarounds to avoid the impacts of these vulnerabilities.

  • Enable a firewall and block unnecesary communication
    • Allow only hosts belonging to the cluster to accept connection requests for the following ports:
      • Data transfer (Default: 29002)
      • Communication between disk agents (Default: 29004)
    • Allow only trusted clients to accept connection requests for the following port:
      • HTTP port of WebManager (Default: 29003)
    • Allow only local hosts to accept connection requests for the process clpoldapi.exe

Vendor Status

Vendor Status Last Update Vendor Notes
NEC Corporation Vulnerable 2021/10/29

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

NEC Corporation reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN. JPCERT/CC and NEC Corporation coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-20700
CVE-2021-20701
CVE-2021-20702
CVE-2021-20703
CVE-2021-20704
CVE-2021-20705
CVE-2021-20706
CVE-2021-20707
JVN iPedia JVNDB-2021-000097

Update History

2021/11/10
Information under the section [Products Affected] and [Solution] was updated.