HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in Multiple Cybozu Products
Published: April 20, 2010
>> JAPANESE
Information-technology Promotion Agency, Japan (IPA, Chairman Koji Nishigaki) has issued a security alert concerning security vulnerability in multiple Cybozu products on April 20, 2010.
This vulnerability allows an attacker to access the Cybozu system as a registered user using the user’s cell phone ID.
If exploited, user’s personal information held in the Cybozu system may be disclosed to or altered by the malicious attacker.
To fix this vulnerability, update to the fixed version or apply workaround following the instruction provided by the product developer.
Cybozu Office 7 Ktai and Cybozu Dotsales, developed by Cybozu Inc., are groupware intended for corporate use. They have security vulnerability that allows an attacker to access the Cybozu system as a registered user using the user’s cell phone ID. If exploited, user’s personal information held in the Cybozu system may be disclosed to or altered by the malicious attacker.
Given the high potential impact of the vulnerability and the wide use of the Cybozu products in Japan, IPA has issued the security alert to raise awareness of a number of users who may be affected by this vulnerability.
For detailed information, refer to the following URL:
http://cybozu.co.jp/products/dl/notice/detail/0034.html (Japanese)
For the latest information, refer to the following URL:
http://jvndb.jvn.jp/jvndb/JVNDB-2010-000016
IPA and JPCERT Coordination Center (JPCERT/CC) received a report concerning this vulnerability directly from the product developer on April 15, 2010, in line with the Information Security Early Warning Partnership, and made the announcement public on April 20, 2010.
The user’s personal information held in the Cybozu system may be disclosed to or altered by a malicious attacker.
To fix this vulnerability, update to the fixed version or apply workaround following the instruction provided by the product developer.
Severity Rating (CVSS base score) |
□ Low (0.0~3.9) |
■ Medium (4.0~6.9) |
□ High (7.0~10.0) |
---|---|---|---|
CVSS base score | 5.8 |
AV:Access Vector | □ Local | □ Adjacent Network |
■ Network |
---|---|---|---|
AC:Access Complexity | □ High | ■ Medium | □ Low |
Au:Authentication | □ Multiple | □ Single | ■ None |
C:Confidentiality Impact | □ None | ■ Partial | □ Complete |
I:Integrity Impact | □ None | ■ Partial | □ Complete |
A:Availability Impact | ■ None | □ Partial | □ Complete |
■:Selected Values
IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: