JVNVU#93704047
Multiple vulnerabilities in EXPRESSCLUSTER X

Overview

EXPRESSCLUSTER X provided by NEC Corporation contains multiple vulnerabilities.

Products Affected

• EXPRESSCLUSTER X 1.0 for Windows
• EXPRESSCLUSTER X 2.0 for Windows
• EXPRESSCLUSTER X 2.1 for Windows
• EXPRESSCLUSTER X 3.0 for Windows
• EXPRESSCLUSTER X 3.1 for Windows
• EXPRESSCLUSTER X 3.2 for Windows
• EXPRESSCLUSTER X 3.3 for Windows
• EXPRESSCLUSTER X 4.0 for Windows
• EXPRESSCLUSTER X 4.1 for Windows
• EXPRESSCLUSTER X 4.2 for Windows
• EXPRESSCLUSTER X 4.3 for Windows
• EXPRESSCLUSTER X 5.0 for Windows
• EXPRESSCLUSTER X SingleServerSafe 1.0 for Windows
• EXPRESSCLUSTER X SingleServerSafe 2.0 for Windows
• EXPRESSCLUSTER X SingleServerSafe 2.1 for Windows
• EXPRESSCLUSTER X SingleServerSafe 3.0 for Windows
• EXPRESSCLUSTER X SingleServerSafe 3.1 for Windows
• EXPRESSCLUSTER X SingleServerSafe 3.2 for Windows
• EXPRESSCLUSTER X SingleServerSafe 3.3 for Windows
• EXPRESSCLUSTER X SingleServerSafe 4.0 for Windows
• EXPRESSCLUSTER X SingleServerSafe 4.1 for Windows
• EXPRESSCLUSTER X SingleServerSafe 4.2 for Windows
• EXPRESSCLUSTER X SingleServerSafe 4.3 for Windows
• EXPRESSCLUSTER X SingleServerSafe 5.0 for Windows

In regards to CVE-2022-34824 and CVE-2022-34825, the developer states as follows:
The product is not affected by CVE-2022-34824 and CVE-2022-34825 vulnerabilities if the directory where the product is to be installed (C:\Program Files\EXPRESSCLUSTER or C:\Program Files\EXPRESSCLUSTER SSS) is not changed from the default settings.

For more information, refer to the information provided by the developer.

Description

EXPRESSCLUSTER X provided by NEC Corporation contains multiple vulnerabilities listed below.

• Path Traversal (CWE-22) - CVE-2022-34822
• Stack-based Buffer Overflow (CWE-121) - CVE-2022-34823
• Incorrect Default Permissions (CWE-276) - CVE-2022-34824
• Uncontrolled Search Path Element (CWE-427) - CVE-2022-34825

Impact

A remote attacker may overwrite the existing files on the system, which may result in arbitrary code execution.

Solution

Solutions for CVE-2022-34822 and CVE-2022-34823:
Apply the patch or workarounds according to the information provided by the developer.

Apply Patch

• EXPRESSCLUSTER X 5.0 Series
• EXPRESSCLUSTER X 4.3 Series
• EXPRESSCLUSTER X 3.3 Series

Apply Workaround
Applying the following workarounds may mitigate the impacts of these vulnerabilities.

• Use firewall and block untrusted communication
• Allow connection requests to WebManager HTTP Port (Default: 29003/TCP) only from the trusted clients

Solutions for CVE-2022-34824 and CVE-2022-34825:
Applying the following workaround may mitigate the impacts of these vulnerabilities if the product has been installed under the directory where the access permission is set to a user other than the administrator.

Apply Workaround

• Check EXPRESSCLUSTER X installation directory, and delete unnecessary access permission

For more information, refer to the information provided by the developer.