JVNVU#91417143
Multiple vulnerabilities in GigaCC OFFICE

Overview

GigaCC OFFICE provided by WAM!NET Japan K.K. contains multiple vulnerabilities.

Products Affected

• GigaCC OFFICE ver.2.3 and earlier

Description

• Mis-configuration of Apache Velocity template engine which is used to send emails - CVE-2016-7844

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L	Base Score: 5.5
  CVSS v2	AV:N/AC:M/Au:S/C:P/I:P/A:P	Base Score: 6.0

• Apache Struts 1 vulnerability that allows unintended remote operations against components on server memory - CVE-2016-1181

  CVSS v3	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	Base Score: 8.1
  CVSS v2	AV:N/AC:M/Au:N/C:P/I:P/A:P	Base Score: 6.8

• Arbitrary files may be uploaded - CVE-2016-7845

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L	Base Score: 5.4
  CVSS v2	AV:N/AC:L/Au:S/C:P/I:N/A:P	Base Score: 5.5

Impact

• Sending emails using a specially crafted mail template may result in an arbitrary OS command executed on the server - CVE-2016-7844
• Denial of Service (DoS) condition may be caused by processing a specially crafted request - CVE-2016-1181
• An arbitrary file can be uploaded as a profile image file by a user, which may be used for unauthorized file sharing - CVE-2016-7845

Solution

Solution for CVE-2016-7844 and CVE-2016-1181 vulnerabilities：
Update to the latest version and then apply a patch
Update to GigaCC OFFICE ver.2.3 and then apply an appropriate patch according to the information provided by the developer.

Solution for CVE-2016-7845 vulnerability：
Update to the latest version and apply Patch 1, and then apply an update module
Update to Giga CC OFFICE ver.2.4 and apply Patch 1, and then apply an update module according to the information provided by the developer.