Japan
サイト内の現在位置
Multiple vulnerabilities in EXPRESSCLUSTER X
Number:NV22-014
CVE:CVE-2022-34822, CVE-2022-34823, CVE-2022-34824, CVE-2022-34825
Overview
EXPRESSCLUSTER X contains multiple vulnerabilities.
Relative Path Traversal - CVE-2022-34822
Stack-based Buffer Overflow - CVE-2022-34823
Incorrect Default Permissions - CVE-2022-34824
Uncontrolled Search Path Element - CVE-2022-34825
Products Affected
EXPRESSCLUSTER X
Affected Version
EXPRESSCLUSTER X 1.0 for Windows
EXPRESSCLUSTER X 2.0 for Windows
EXPRESSCLUSTER X 2.1 for Windows
EXPRESSCLUSTER X 3.0 for Windows
EXPRESSCLUSTER X 3.1 for Windows
EXPRESSCLUSTER X 3.2 for Windows
EXPRESSCLUSTER X 3.3 for Windows
EXPRESSCLUSTER X 4.0 for Windows
EXPRESSCLUSTER X 4.1 for Windows
EXPRESSCLUSTER X 4.2 for Windows
EXPRESSCLUSTER X 4.3 for Windows
EXPRESSCLUSTER X 5.0 for Windows
EXPRESSCLUSTER X SingleServerSafe 1.0 for Windows
EXPRESSCLUSTER X SingleServerSafe 2.0 for Windows
EXPRESSCLUSTER X SingleServerSafe 2.1 for Windows
EXPRESSCLUSTER X SingleServerSafe 3.0 for Windows
EXPRESSCLUSTER X SingleServerSafe 3.1 for Windows
EXPRESSCLUSTER X SingleServerSafe 3.2 for Windows
EXPRESSCLUSTER X SingleServerSafe 3.3 for Windows
EXPRESSCLUSTER X SingleServerSafe 4.0 for Windows
EXPRESSCLUSTER X SingleServerSafe 4.1 for Windows
EXPRESSCLUSTER X SingleServerSafe 4.2 for Windows
EXPRESSCLUSTER X SingleServerSafe 4.3 for Windows
EXPRESSCLUSTER X SingleServerSafe 5.0 for Windows
Solution
CVE-2022-34822, CVE-2022-34823
Please apply the patch.
5.0
https://www.support.nec.co.jp/View.aspx?id=9010110486
4.3
https://www.support.nec.co.jp/View.aspx?id=9010110494
3.3
https://www.support.nec.co.jp/View.aspx?id=3140107057
Apply a Workaround
Please enable the firewall and block unnecessary communication.
For the following ports, allow only management client to accept connection requests.
- WebManager HTTP port (default: 29003)
CVE-2022-34824, CVE-2022-34825
If the default installation destination has been changed, take the following measures.
Remove unnecessary access rights.
References
CVE-2022-34822
https://www.cve.org/CVERecord?id=CVE-2022-34822
CVE-2022-34823
https://www.cve.org/CVERecord?id=CVE-2022-34823
CVE-2022-34824
https://www.cve.org/CVERecord?id=CVE-2022-34824
CVE-2022-34825
https://www.cve.org/CVERecord?id=CVE-2022-34825
Credit
reported by Mr. Michael Heinzl. for NEC-PSIRT
Update
- 2022/11/04
-
First edition