Published:2014/04/30 Last Updated:2014/05/14
JVN#90519014
Cybozu Garoon Phone Messages vulnerable to denial-of-service (DoS)
Overview
Cybozu Garoon contains contains a denial-of-service (DoS) vulnerability in the Phone Messages function.
Products Affected
- Cybozu Garoon 3.7.0 to 3.7 Service Pack 2
Description
Cybozu Garoon provided by Cybozu, Inc. is a groupware. Cybozu Garoon contains a denial-of-service (DoS) vulnerability in the Phone Messages function.
Impact
Processing input from a user who can log in to the system may cause
denial-of-service (DoS) condition on the server by consuming high system resources.
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Cybozu, Inc. | Vulnerable | 2014/04/30 | Cybozu, Inc. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2014.04.30 (CVSS Base Metrics)
| Measures | Severity | Description | ||
|---|---|---|---|---|
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) | A vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. Such a vulnerability is often termed "remotely exploitable". |
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) | The access conditions are somewhat specialized. |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) | The vulnerability requires an attacker to be logged into the system (such as at a command line or via a desktop session or web interface). |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) | There is no impact to the confidentiality of the system. |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) | There is no impact to the integrity of the system. |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) | There is reduced performance or interruptions in resource availability. |
Base Score:3.5
Credit
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2014-1988 |
| JVN iPedia |
JVNDB-2014-000042 |
Update History
- 2014/05/14
- Information under the section "Products Affected" was updated.