Hitachi uCosminexus Application Server Component Container session hijacking

hitachi-container-session-hijacking (35706) The risk level is classified as MediumMedium Risk

Description:

Hitachi uCosminexus Application Server could allow an authenticated remote attacker to hijack another valid user's session, caused by a vulnerability in the Component Container. A remote attacker could exploit this vulnerability to hijack a victim's session.

Platforms Affected:

  • Hitachi, Cosminexus App Server 6 EE AIX 06-50 - 06-50-/F
  • Hitachi, Cosminexus App Server 6 EE HP-UX 06-50 - 06-50-/E
  • Hitachi, Cosminexus App Server 6 EE HP-UX IPF 06-50 - 06-50-/D
  • Hitachi, Cosminexus App Server 6 EE Linux 06-50 to 06-50-/C
  • Hitachi, Cosminexus App Server 6 EE Linux 06-51 to 06-51-/D
  • Hitachi, Cosminexus App Server 6 EE Linux IPF 06-50 to 06-50-/B
  • Hitachi, Cosminexus App Server 6 EE Linux IPF 06-51 to 06-51-/B
  • Hitachi, Cosminexus App Server 6 EE Solaris 06-50 to 06-50-/C
  • Hitachi, Cosminexus App Server 6 EE Win 06-50 - 06-50-/E
  • Hitachi, Cosminexus App Server 6 EE Win 06-51 - 06-51-/H
  • Hitachi, Cosminexus App Server 6 SE AIX 06-50 - 06-50-/F
  • Hitachi, Cosminexus App Server 6 SE HP-UX 06-50 - 06-50-/E
  • Hitachi, Cosminexus App Server 6 SE HP-UX IPF 06-50 - 06-50-/D
  • Hitachi, Cosminexus App Server 6 SE Linux 06-50 to 06-50-/C
  • Hitachi, Cosminexus App Server 6 SE Linux 06-51 to 06-51-/D
  • Hitachi, Cosminexus App Server 6 SE Linux IPF 06-50 to 06-50-/B
  • Hitachi, Cosminexus App Server 6 SE Linux IPF 06-51 to 06-51-/B
  • Hitachi, Cosminexus App Server 6 SE Solaris 06-50 to 06-50-/C
  • Hitachi, Cosminexus App Server 6 SE Win 06-50 - 06-50-/E
  • Hitachi, Cosminexus App Server 6 SE Win 06-51 - 06-51-/H
  • Hitachi, Cosminexus Collaboration Portal for Win 06-10-/E
  • Hitachi, Cosminexus Developer 6 LE Win 06-50 to 06-50-/E
  • Hitachi, Cosminexus Developer 6 LE Win 06-51 to 06-51-/H
  • Hitachi, Cosminexus Developer 6 PE Win 06-50 to 06-50-/E
  • Hitachi, Cosminexus Developer 6 PE Win 06-51 to 06-51-/H
  • Hitachi, Cosminexus Developer 6 SE Win 06-50 - 06-50-/E
  • Hitachi, Cosminexus Developer 6 SE Win 06-51 - 06-51-/H
  • Hitachi, Cosminexus ERP Integrator Win 01-02
  • Hitachi, Cosminexus/OpenTP1 Web Front-end Win 02-50
  • Hitachi, Cosminexus/OpenTP1 Web Front-end Win 02-50-/A
  • Hitachi, Electronic Form Workflow Dev Win 06-70-/D
  • Hitachi, Electronic Form Workflow Dev Win 07-11
  • Hitachi, Electronic Form Workflow Dev Win 07-11-/A
  • Hitachi, Electronic Form Workflow Dev Win 7-00-/B
  • Hitachi, Electronic Form Workflow Dev Win 7-10
  • Hitachi, Electronic Form Workflow Prof Linux 7-00/B
  • Hitachi, Electronic Form Workflow Prof Linux 7-10
  • Hitachi, Electronic Form Workflow Prof Win 06-70-/D
  • Hitachi, Electronic Form Workflow Prof Win 07-11
  • Hitachi, Electronic Form Workflow Prof Win 07-11-/A
  • Hitachi, Electronic Form Workflow Prof Win 7-00-/B
  • Hitachi, Electronic Form Workflow Prof Win 7-10
  • Hitachi, Electronic Form Workflow Std Linux 7-00-/B
  • Hitachi, Electronic Form Workflow Std Linux 7-10
  • Hitachi, Electronic Form Workflow Std Win 06-70-/D
  • Hitachi, Electronic Form Workflow Std Win 07-11
  • Hitachi, Electronic Form Workflow Std Win 07-11-/A
  • Hitachi, Electronic Form Workflow Std Win 7-00-/B
  • Hitachi, Electronic Form Workflow Std Win 7-10
  • Hitachi, Groupmax Collaboration Portal for Win 07-10-/E
  • Hitachi, Groupmax Collaboration Portal for Win 07-20-/D
  • Hitachi, Groupmax Collaboration Portal for Win 07-30-/D
  • Hitachi, uCosminexus Application Server AIX 06-70 - 06-70-/E
  • Hitachi, uCosminexus Application Server AIX 07-00
  • Hitachi, uCosminexus Application Server AIX 07-10
  • Hitachi, uCosminexus Application Server for HP-UX 06-70 to 06-70-/C
  • Hitachi, uCosminexus Application Server for HP-UX 06-72 to 06-72-/A
  • Hitachi, uCosminexus Application Server for HP-UX 07-10
  • Hitachi, uCosminexus Application Server for Win 06-70 - 06-70-/C
  • Hitachi, uCosminexus Application Server for Win 06-71 - 06-71-/C
  • Hitachi, uCosminexus Application Server for Win 07-00 to 07-00-03
  • Hitachi, uCosminexus Application Server for Win 07-10 to 07-10-01
  • Hitachi, uCosminexus Application Server for Win 07-20 - 07-20-01
  • Hitachi, uCosminexus Application Server HP-UX IPF 06-70 - 06-70-/H
  • Hitachi, uCosminexus Application Server HP-UX IPF 07-00
  • Hitachi, uCosminexus Application Server HP-UX IPF 07-10
  • Hitachi, uCosminexus Application Server Linux 06-70 - 06-70-/C
  • Hitachi, uCosminexus Application Server Linux 06-71 - 06-71-/C
  • Hitachi, uCosminexus Application Server Linux 07-00 to 07-00-01
  • Hitachi, uCosminexus Application Server Linux 07-10
  • Hitachi, uCosminexus Application Server Linux IPF 06-70 - 06-70-/B
  • Hitachi, uCosminexus Application Server Linux IPF 07-10 to 07-10-01
  • Hitachi, uCosminexus Application Server Solaris 06-70 - 06-70-/C
  • Hitachi, uCosminexus Application Server Solaris 07-00 to 07-00-01
  • Hitachi, uCosminexus Application Server Win IPF 06-70 to 06-70-/A
  • Hitachi, uCosminexus Collaboration Portal for Win 06-20-/D
  • Hitachi, uCosminexus Collaboration Portal for Win 06-30-/D
  • Hitachi, uCosminexus Developer Light Win 06-70 - 06-70-/C
  • Hitachi, uCosminexus Developer Light Win 06-71 - 06-71-/C
  • Hitachi, uCosminexus Developer Professional Win 06-70 - 06-70-/C
  • Hitachi, uCosminexus Developer Professional Win 06-71 - 06-71-/C
  • Hitachi, uCosminexus Developer Professional Win 07-00 to 07-00-03
  • Hitachi, uCosminexus Developer Professional Win 07-10 to 07-10-01
  • Hitachi, uCosminexus Developer Professional Win 07-20 - 07-20-01
  • Hitachi, uCosminexus Developer Standard Win 06-70 - 06-70-/C
  • Hitachi, uCosminexus Developer Standard Win 06-71 - 06-71-/C
  • Hitachi, uCosminexus Developer Standard Win 07-00 to 07-00-03
  • Hitachi, uCosminexus Developer Standard Win 07-10 to 07-10-01
  • Hitachi, uCosminexus Developer Standard Win 07-20 - 07-20-01
  • Hitachi, uCosminexus ERP Integrator Win 01-02
  • Hitachi, uCosminexus ERP Integrator Win 2-00
  • Hitachi, uCosminexus Service Architect Win 07-00 to 07-00-03
  • Hitachi, uCosminexus Service Architect Win 07-10 to 07-10-01
  • Hitachi, uCosminexus Service Architect Win 07-20 - 07-20-01
  • Hitachi, uCosminexus Service Platform AIX 07-10
  • Hitachi, uCosminexus Service Platform Win 07-10 to 07-10-01
  • Hitachi, uCosminexus Service Platform Win 07-20 - 07-20-01
  • Hitachi, uCosminexus/OpenTP1 Web Front-end Win 02-70

Remedy:

Refer to HS07-024 for patch, upgrade, or suggested workaround information. See References.

Consequences:

Gain Privileges

References:

  • HS07-024 , Problem about Handling Session Data when Using the Session Failover Function in uCosminexus Application Server at http://www.hitachi-support.com/security_e/vuls_e/HS07-024_e/index-e.html.
  • BID-25145: Hitachi uCosminexus Application Server Session Failover User Data Leak Vulnerability
  • CVE-2007-4124: The session failover function in Cosminexus Component Container in Cosminexus 6, 6.7, and 7 before 20070731, as used in multiple Hitachi products, can use session data for the wrong user under unspecified conditions, which might allow remote authenticated users to obtain sensitive information, corrupt another user's session data, and possibly gain privileges.
  • SA26250: Hitachi Products Cosminexus Component Container Improper Session Data Handling
  • VUPEN/ADV-2007-2725: Hitachi Cosminexus Component Container Module Session Handling Vulnerability

Reported:

Jul 31, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page