Published:2023/10/19  Last Updated:2023/10/19

JVN#28846531
Multiple vulnerabilities in JustSystems products

Overview

Multiple products provided by JustSystems Corporation contain multiple vulnerabilities.

Products Affected

  • Ichitaro series
  • Rakuraku Hagaki series
  • JUST Office series
  • JUST Government series
  • JUST Police series
A wide range of products is affected. For the details, refer to the information provided by the developer.

Description

Multiple products provided by JustSystems Corporation contain multiple vulnerabilities listed below.

  • Use after free (CWE-416) - CVE-2023-34366
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L Base Score: 3.3
    CVSS v2 AV:L/AC:M/Au:N/C:N/I:N/A:P Base Score: 1.9
  • Integer overflow (CWE-190) - CVE-2023-38127
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L Base Score: 3.3
    CVSS v2 AV:L/AC:M/Au:N/C:N/I:N/A:P Base Score: 1.9
  • Access of resource using incompatible type (Type confusion) (CWE-843) - CVE-2023-38128
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L Base Score: 3.3
    CVSS v2 AV:L/AC:M/Au:N/C:N/I:N/A:P Base Score: 1.9
  • Improper validation of array index (CWE-129) - CVE-2023-35126
    CVSS v3 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L Base Score: 3.3
    CVSS v2 AV:L/AC:M/Au:N/C:N/I:N/A:P Base Score: 1.9

Impact

Processing a specially crafted file may lead to the product's abnormal termination.

Solution

Apply the Patch
Apply the patch according to the information provided by the developer.
For more information, refer to the information provided by the developer.

Vendor Status

Vendor Link
JustSystems Corporation For Safe Use of JustSystems Products (Text in Japanese)

References

JPCERT/CC Addendum

The reporter states that arbitrary code execution is possible.
On the other hand, the developer states that impact of the vulnerabilities is abnormal termination only, as arbitrary code exaction has not been proven. From these, on this advisory the impact is described as abnormal termination only.

Vulnerability Analysis by JPCERT/CC

Credit

Cisco Talos Security Intelligence & Research Group reported these vulnerabilities to JustSystems Corporation and coordinated. JustSystems Corporation and JPCERT/CC published respective advisories in order to notify users of the solution through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2023-34366
CVE-2023-38127
CVE-2023-38128
CVE-2023-35126
JVN iPedia JVNDB-2023-000102