JVN#50129191
JustSystems Online Update Program bundled with JustSystems products vulnerable to arbitrary code execution
Overview
JustSystems Online Update Program bundled with JustSystems products is vulnerable to arbitrary code execution.
Products Affected
All the products that bundle the following update program are affected.
- JUST Online Update (for an individual user)
- JUST Online Update for J-License and management tools (for a corporate user)
Description
"JUST Online Update" and "JUST Online Update for J-License and the management tools" that are bundled with multiple JustSystems products contain a flaw that allows the update program to be executed even if the signature of an update module is invalid.
Please note that this is a flaw in the online update program, not a flaw in each software itself.
Impact
If a user execute a crafted update module, arbitrary code may be executed.
Solution
Apply the Update
Update "JUST Online Update" and "JUST Online Update for J-License and management tools" according to the information provided by the developer.
For more information, please refer to the developer's website.
Vendor Status
| Vendor | Link |
| JustSystems Corporation | [JS140002] Vulnerability in Online Update Program contains in multiple Justsystems products |
References
-
IPA
About arbitrary code execution vulnerability of JustSystems Online Update Program bundled with JustSystems products (JVN#50129191)
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2014.06.11 (CVSS Base Metrics)
| Measures | Severity | Description | ||
|---|---|---|---|---|
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) | A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed "remotely exploitable". |
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) | Specialized access conditions exist. |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) | Authentication is not required to exploit the vulnerability. |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) | There is total information disclosure, resulting in all system files being revealed. |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) | There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the entire system being compromised. |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) | There is a total shutdown of the affected resource. |
Base Score:7.6
Credit
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2014-2003 |
| JVN iPedia |
JVNDB-2014-000053 |
Update History
- 2014/06/11
- Information under the section "References" was added.