JVN#38222042
DataSpider Servista uses a hard-coded cryptographic key
Overview
DataSpider Servista provided by SAISON INFORMATION SYSTEMS CO.,LTD. uses a hard-coded cryptographic key.
Products Affected
- DataSpider Servista version 4.4 and earlier
For information on the affected products and the versions, refer to the vendors' advisories from "Vendor Status" of this JVN advisory.
Description
DataSpider Servista provided by SAISON INFORMATION SYSTEMS CO.,LTD. is a data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servista.
The cryptographic key is embedded in ScriptRunner and ScriptRunner for Amazon SQS, which is common to all users (CWE-321).
Impact
An attacker, who can gain access to a target DataSpider Servista instance and obtain a Launch Settings file of ScriptRunner and/or ScriptRunner for Amazon SQS, may perform operations using the user privilege encrypted in the file.
Solution
Apply the patch and follow the additional procedure
Apply the patch module and follow the necessary procedure to reconfigure Launch settings file.
For more information, refer to documentation provided by the developer.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
---|---|---|---|---|
Attack Complexity(AC) | High (H) | Low (L) | ||
Privileges Required(PR) | High (H) | Low (L) | None (N) | |
User Interaction(UI) | Required (R) | None (N) | ||
Scope(S) | Unchanged (U) | Changed (C) | ||
Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
Integrity Impact(I) | None (N) | Low (L) | High (H) | |
Availability Impact(A) | None (N) | Low (L) | High (H) |
Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
---|---|---|---|
Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
Authentication(Au) | Multiple (M) | Single (S) | None (N) |
Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Sato Nobuhiro of Suzuki Motor Corporation and You Okuma of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
JPCERT Alert |
|
JPCERT Reports |
|
CERT Advisory |
|
CPNI Advisory |
|
TRnotes |
|
CVE |
CVE-2023-28937 |
JVN iPedia |
JVNDB-2023-000052 |
Update History
- 2023/06/13
- [Products Affected] and [Vendor Status] sections are updated.