JVN#54728399
TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java (Rich) vulnerable to ClassLoader manipulation
Overview
TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java (Rich) provided by NTT DATA Corporation are vulnerable to a ClassLoader manipulation vulnerability, which is contained in Spring Framework.
Products Affected
- TERASOLUNA Global Framework 1.0.0 (Public review version)
- TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1
Description
The past versions of TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java (Rich) are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability.
According to the developer, this vulnerability is caused by an improper input validation issue (CWE-20) in the binding mechanism of Spring MVC.
Impact
By the application processing a specially crafted file, arbitrary code may be executed with the privileges of the application.
Solution
Update the software
Update the software to the latest version according to the information provided by the developer.
Note that, additional workarounds may be required depending on the system environment.
For more information, refer to the information provided by the developer.
Apply the Workaround
If an update cannot be applied, the developer recommends users applying the workaround.
For more information, refer to the information provided by the developer.
Vendor Status
Vendor | Status | Last Update | Vendor Notes |
---|---|---|---|
FUJITSU LIMITED | Vulnerable, investigating | 2022/11/28 | |
NTT DATA Corporation | Vulnerable | 2022/11/14 |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
---|---|---|---|---|
Attack Complexity(AC) | High (H) | Low (L) | ||
Privileges Required(PR) | High (H) | Low (L) | None (N) | |
User Interaction(UI) | Required (R) | None (N) | ||
Scope(S) | Unchanged (U) | Changed (C) | ||
Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
Integrity Impact(I) | None (N) | Low (L) | High (H) | |
Availability Impact(A) | None (N) | Low (L) | High (H) |
Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
---|---|---|---|
Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
Authentication(Au) | Multiple (M) | Single (S) | None (N) |
Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
NTT DATA Corporation reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and NTT DATA Corporation coordinated under the Information Security Early Warning Partnership.
Other Information
JPCERT Alert |
|
JPCERT Reports |
|
CERT Advisory |
|
CPNI Advisory |
|
TRnotes |
|
CVE |
CVE-2022-43484 |
JVN iPedia |
JVNDB-2022-000088 |
Update History
- 2022/11/28
- FUJITSU LIMITED update status