Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in Multiple Cybozu Products

PRINT PAGE

IT Security

IPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in Multiple Cybozu Products


Published: April 20, 2010
>> JAPANESE

Information-technology Promotion Agency, Japan (IPA, Chairman Koji Nishigaki) has issued a security alert concerning security vulnerability in multiple Cybozu products on April 20, 2010.
This vulnerability allows an attacker to access the Cybozu system as a registered user using the user’s cell phone ID.
If exploited, user’s personal information held in the Cybozu system may be disclosed to or altered by the malicious attacker.

To fix this vulnerability, update to the fixed version or apply workaround following the instruction provided by the product developer.

1.Overview

Cybozu Office 7 Ktai and Cybozu Dotsales, developed by Cybozu Inc., are groupware intended for corporate use. They have security vulnerability that allows an attacker to access the Cybozu system as a registered user using the user’s cell phone ID. If exploited, user’s personal information held in the Cybozu system may be disclosed to or altered by the malicious attacker.

Given the high potential impact of the vulnerability and the wide use of the Cybozu products in Japan, IPA has issued the security alert to raise awareness of a number of users who may be affected by this vulnerability.

For detailed information, refer to the following URL:
http://cybozu.co.jp/products/dl/notice/detail/0034.html (Japanese)

For the latest information, refer to the following URL:
http://jvndb.jvn.jp/jvndb/JVNDB-2010-000016

IPA and JPCERT Coordination Center (JPCERT/CC) received a report concerning this vulnerability directly from the product developer on April 15, 2010, in line with the Information Security Early Warning Partnership, and made the announcement public on April 20, 2010.

2.Impact

The user’s personal information held in the Cybozu system may be disclosed to or altered by a malicious attacker.

Security Alert for Vulnerability in OpenPNE

3.Solution

To fix this vulnerability, update to the fixed version or apply workaround following the instruction provided by the product developer.

4.CVSS Severity

(1)Evaluation Result

Severity Rating
(CVSS base score)
□ Low
(0.0~3.9)
■ Medium
(4.0~6.9)
□ High
(7.0~10.0)
CVSS base score  
5.8

(2) Base Score Metrics

AV:Access Vector □ Local □ Adjacent
 Network
■ Network
AC:Access Complexity □ High ■ Medium □ Low
Au:Authentication □ Multiple □ Single ■ None
C:Confidentiality Impact □ None ■ Partial □ Complete
I:Integrity Impact □ None ■ Partial □ Complete
A:Availability Impact ■ None □ Partial □ Complete

■:Selected Values

5.CWE Type

This vulnerability has been CWE classified as 撤ermissions, Privileges, and Access Controls (CWE-264)�.

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: