Published:2023/05/31  Last Updated:2023/06/13

JVN#38222042
DataSpider Servista uses a hard-coded cryptographic key

Overview

DataSpider Servista provided by SAISON INFORMATION SYSTEMS CO.,LTD. uses a hard-coded cryptographic key.

Products Affected

  • DataSpider Servista version 4.4 and earlier
The developer states that some of DataSpider Servista's OEM products are affected by this vulnerability.
For information on the affected products and the versions, refer to the vendors' advisories from "Vendor Status" of this JVN advisory.

Description

DataSpider Servista provided by SAISON INFORMATION SYSTEMS CO.,LTD. is a data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servista.
The cryptographic key is embedded in ScriptRunner and ScriptRunner for Amazon SQS, which is common to all users (CWE-321).

Impact

An attacker, who can gain access to a target DataSpider Servista instance and obtain a Launch Settings file of ScriptRunner and/or ScriptRunner for Amazon SQS, may perform operations using the user privilege encrypted in the file.

Solution

Apply the patch and follow the additional procedure
Apply the patch module and follow the necessary procedure to reconfigure Launch settings file.
For more information, refer to documentation provided by the developer.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score: 5.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:L/Au:N/C:P/I:N/A:N
Base Score: 5.0
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Sato Nobuhiro of Suzuki Motor Corporation and You Okuma of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2023-28937
JVN iPedia JVNDB-2023-000052

Update History

2023/06/13
[Products Affected] and [Vendor Status] sections are updated.