Multiple vulnerabilities were found in Hitachi Web Server (HWS). Malicious remote users can exploit the following vulnerabilities:
Vulnerability #1: Protocol-version rollback vulnerability in OpenSSL
When a client attempts to connect to a Web server by using the SSL 3.0 or TLS 1.0 protocol, an attacker might replace the connection with SSL 2.0 protocol.
Please note that this vulnerability does not affect an encrypted SSL 2.0 protocol connection.
Vulnerability #2: Cross-site scripting vulnerability with image maps
An attacker might make a malicious script in another web site, insert the script into the contents automatically created by HWS, and then execute the script on the client.
Vulnerability #3: Cross-site scripting vulnerability using an Expect header
An attacker might send a message with an Expect header containing a malicious script to HWS, insert the script into the error contents automatically created by HWS, and then execute the script on the client.
The affected products are listed below. Please upgrade the version of HWS in your system to the appropriate version.
Please note that these vulnerabilities also affect Cosminexus products that bundle HWS. For details on the affected versions, see the information on Cosminexus products.
[Affected models, versions, and fixed versions]
Hitachi Web Server products
| Product name | Model | Version | Platform | Vulnerabilities (*1) |
Fixed version | Release time | Last update | ||
|---|---|---|---|---|---|---|---|---|---|
| #1 | #2 | #3 | |||||||
| Hitachi Web Server | P-2441-E174 | 03-00 | Windows | No | Yes | Yes | 03-00-01 | December 15, 2006 | January 24, 2007 |
| P-2441-E151 | 02-00 – 02-04-/B |
Yes | Yes | Yes | 02-04-/C | December 15, 2006 | January 24, 2007 | ||
| P-2841-E151 | 02-03 – 02-04-/A |
Windows (IPF) |
No | Yes | Yes | Being scheduled | January 24, 2007 | ||
| P-1B41-E151 | 02-00 – 02-04-/A |
HP-UX | Yes | Yes | Yes | 02-04-/B | December 15, 2006 | January 24, 2007 | |
| E-1B41-E121 | 01-00 – 01-02-/D |
Yes | Yes | Yes | (*2) | January 24, 2007 | |||
| P-1B41-E111 | 01-00 – 01-02-/D |
Yes | Yes | Yes | (*2) | January 24, 2007 | |||
| E-1B41-E121B1 | 01-00 – 01-02-/D |
Yes | Yes | Yes | (*2) | January 24, 2007 | |||
| P-1J41-E171 | 03-00 | HP-UX (IPF) |
No | Yes | Yes | Being scheduled | January 24, 2007 | ||
| P-1J41-E151 | 02-02 – 02-04-/A |
Yes | Yes | Yes | 02-04-/B | December 15, 2006 | January 24, 2007 | ||
| P-9D41-E171 | 03-00 | Solaris | No | Yes | Yes | Being scheduled | January 24, 2007 | ||
| P-9D41-E151 | 02-00 – 02-04-/A |
Yes | Yes | Yes | 02-04-/B | December 15, 2006 | January 24, 2007 | ||
| P-9D41-E111 | 01-00 – 01-02-/D |
Yes | Yes | Yes | (*3) | January 24, 2007 | |||
| P-9S41-E171 | 03-00 | Linux | No | Yes | Yes | Being scheduled | January 24, 2007 | ||
| P-9S41-E161 | 02-02 – 02-06 |
Yes | Yes | Yes | 02-06-/A | December 15, 2006 | January 24, 2007 | ||
| P-9S41-E151 | 02-00 – 02-00-/A |
Yes | Yes | Yes | (*4) | January 24, 2007 | |||
| P-9S41-E111 | 01-01 – 01-01-/D |
Yes | Yes | Yes | (*4) | January 24, 2007 | |||
| P-9V41-E161 | 02-02 – 02-04-/A |
Linux (IPF) |
No | Yes | Yes | 02-04-/B | December 15, 2006 | January 24, 2007 | |
| P-1M41-E171 | 03-00 | AIX | Yes | Yes | Yes | Being scheduled | January 24, 2007 | ||
| P-1M41-E151 | 02-00 – 02-04-/A |
Yes | Yes | Yes | 02-04-/B | December 15, 2006 | January 24, 2007 | ||
| P-1M41-E111 | 01-01 – 01-02-/E |
Yes | Yes | Yes | (*5) | January 24, 2007 | |||
| P-1L41-E111 | 01-01 | Turbolinux Server 6 for MP Series |
Yes | Yes | Yes | (*6) | January 24, 2007 | ||
| P-1L41-E151 | 02-00 | Turbolinux Server 7 for AP8000 |
Yes | Yes | Yes | (*6) | January 24, 2007 | ||
| Hitachi Web Server – Security Enhancement | P-F1J41-E1511 | 02-04 – 02-04-/A |
HP-UX (IPF) |
Yes | Yes | Yes | 02-04-/B | December 15, 2006 | January 24, 2007 |
| Hitachi Web Server – Custom Edition | P-F9S41-E1611 | 02-06 | Linux | No | Yes | Yes | (*6) | January 24, 2007 | |
| Hitachi Web Server for VOS3 | S-1255-51 | 01-00 – 01-03 |
VOS3 | Yes | No | No | (*6) | January 24, 2007 | |
| (*1) | Yes: The product is affected by the specified vulnerability. No: The product is not affected by the specified vulnerability. |
| (*2) | Please upgrade to version 02-04-/B for P-1B41-E151 and later models. |
| (*3) | Please upgrade to version 02-04-/B for P-9D41-E151 and later models. |
| (*4) | Please upgrade to version 02-06-/A for P-9S41-E161 and later models. |
| (*5) | Please upgrade to version 03-00-01 for P-1M41-E171 and later models. Alternatively, please upgrade to version 02-04-/B for P-1M41-E151 and later models. |
| (*6) | For detailed information about this model, contact your Hitachi support service representative. |
| Product name | Model | Version | Platform | Vulnerabilities (*7) |
Fixed version | Release time | Last update | ||
|---|---|---|---|---|---|---|---|---|---|
| #1 | #2 | #3 | |||||||
| uCosminexus Application Server Standard | P-2443-7D74 | 07-00 | Windows | Yes | Yes | Yes | 07-10 | December 21, 2006 | January 24, 2007 |
| P-2443-7D64 | 06-70 – 06-71-/A |
Yes | Yes | Yes | 06-71-/B | December 21, 2006 | January 24, 2007 | ||
| P-2843-7D64 | 06-70 | Windows (IPF) |
No | Yes | Yes | Being scheduled | January 24, 2007 | ||
| P-1B43-7D61 | 06-70 | HP-UX | Yes | Yes | Yes | 06-70-/B | December 21, 2006 | January 24, 2007 | |
| P-1J43-7D71 | 07-00 | HP-UX (IPF) |
Yes | Yes | Yes | Being scheduled | January 24, 2007 | ||
| P-1J43-7D61 | 06-70 – 06-70-/F |
Yes | Yes | Yes | 06-70-/G | December 21, 2006 | January 24, 2007 | ||
| P-9D43-7D71 | 07-00 | Solaris | Yes | Yes | Yes | Being scheduled | January 24, 2007 | ||
| P-9D43-7D61 | 06-70 – 06-70-/A |
Yes | Yes | Yes | Being scheduled | January 24, 2007 | |||
| P-9S43-7D71 | 07-00 | Linux | Yes | Yes | Yes | Being scheduled | January 24, 2007 | ||
| P-9S43-7D61 | 06-70 – 06-71 |
Yes | Yes | Yes | 06-71-/B | December 21, 2006 | January 24, 2007 | ||
| P-9V43-7D61 | 06-70 – 06-70-/A |
Linux (IPF) |
No | Yes | Yes | 06-70-/B | December 21, 2006 | January 24, 2007 | |
| P-1M43-7D71 | 07-00 | AIX | Yes | Yes | Yes | Being scheduled | January 24, 2007 | ||
| P-1M43-7D61 | 06-70 – 06-70-/B |
Yes | Yes | Yes | 06-70-/D | December 21, 2006 | January 24, 2007 | ||
| uCosminexus Application Server Enterprise | P-2443-7K74 | 07-00 | Windows | Yes | Yes | Yes | 07-10 | December 21, 2006 | January 24, 2007 |
| P-2443-7K64 | 06-70 – 06-71-/A |
Yes | Yes | Yes | 06-71-/B | December 21, 2006 | January 24, 2007 | ||
| P-2843-7K64 | 06-70 | Windows (IPF) |
No | Yes | Yes | Being scheduled | January 24, 2007 | ||
| P-1B43-7K61 | 06-70 | HP-UX | Yes | Yes | Yes | 06-70-/B | December 21, 2006 | January 24, 2007 | |
| P-1J43-7K71 | 07-00 | HP-UX (IPF) |
Yes | Yes | Yes | Being scheduled | January 24, 2007 | ||
| P-1J43-7K61 | 06-70 – 06-70-/F |
Yes | Yes | Yes | 06-70-/G | December 21, 2006 | January 24, 2007 | ||
| P-9D43-7K71 | 07-00 | Solaris | Yes | Yes | Yes | Being scheduled | January 24, 2007 | ||
| P-9D43-7K61 | 06-70 – 06-70-/A |
Yes | Yes | Yes | Being scheduled | January 24, 2007 | |||
| P-9S43-7K71 | 07-00 | Linux | Yes | Yes | Yes | Being scheduled | January 24, 2007 | ||
| P-9S43-7K61 | 06-70 – 06-71 |
Yes | Yes | Yes | 06-71-/B | December 21, 2006 | January 24, 2007 | ||
| P-9V43-7K61 | 06-70 – 06-70-/A |
Linux (IPF) |
No | Yes | Yes | 06-71-/B | December 21, 2006 | January 24, 2007 | |
| P-1M43-7K71 | 07-00 | AIX | Yes | Yes | Yes | Being scheduled | January 24, 2007 | ||
| P-1M43-7K61 | 06-70 – 06-70-/B |
Yes | Yes | Yes | 06-70-/D | December 21, 2006 | January 24, 2007 | ||
| uCosminexus Application Server Smart Edition | P-2443-7L74 | 07-00 | Windows | Yes | Yes | Yes | 07-10 | December 21, 2006 | January 24, 2007 |
| P-9S43-7L71 | 07-00 | Linux | Yes | Yes | Yes | Being scheduled | January 24, 2007 | ||
| uCosminexus Developer Standard | P-2443-7E74 | 07-00 | Windows | Yes | Yes | Yes | 07-10 | December 21, 2006 | January 24, 2007 |
| P-2443-7B64 | 06-70 – 06-71-/A |
Yes | Yes | Yes | 06-71-/B | December 21, 2006 | January 24, 2007 | ||
| uCosminexus Developer Professional | P-2443-7F74 | 07-00 | Windows | Yes | Yes | Yes | 07-10 | December 21, 2006 | January 24, 2007 |
| P-2443-7F64 | 06-70 – 06-71-/A |
Yes | Yes | Yes | 06-71-/B | December 21, 2006 | January 24, 2007 | ||
| uCosminexus Developer Light | P-2443-7A64 | 06-70 – 06-71-/A |
Windows | Yes | Yes | Yes | 06-71-/B | December 21, 2006 | January 24, 2007 |
| uCosminexus Service Platform | P-2443-7S74 | 07-00 | Windows | Yes | Yes | Yes | 07-10 | December 21, 2006 | January 24, 2007 |
| P-9S43-7S71 | 07-00 | Linux | Yes | Yes | Yes | Being scheduled | January 24, 2007 | ||
| uCosminexus Service Architect | P-2443-7T74 | 07-00 | Windows | Yes | Yes | Yes | 07-10 | December 21, 2006 | January 24, 2007 |
| Cosminexus Application Server Standard Version 6 | P-2443-1D64 | 06-00 – 06-51-/G |
Windows | Yes | Yes | Yes | (*8) | January 24, 2007 | |
| P-2843-1D64 | 06-00 – 06-51 |
Windows (IPF) |
Yes | Yes | Yes | (*8) | January 24, 2007 | ||
| P-1B43-1D61 | 06-00 – 06-50-/D |
HP-UX | Yes | Yes | Yes | (*8) | January 24, 2007 | ||
| P-1J43-1D61 | 06-00 – 06-50-/C |
HP-UX (IPF) |
Yes | Yes | Yes | (*8) | January 24, 2007 | ||
| P-9D43-1D61 | 06-00 – 06-50-/C |
Solaris | Yes | Yes | Yes | (*8) | January 24, 2007 | ||
| P-9S43-1D61 | 06-00 – 06-51-/C |
Linux | Yes | Yes | Yes | (*8) | January 24, 2007 | ||
| P-9V43-1D61 | 06-00 – 06-51-/B |
Linux (IPF) |
Yes | Yes | Yes | (*8) | January 24, 2007 | ||
| P-1M43-1D61 | 06-00 – 06-50-/E |
AIX | Yes | Yes | Yes | (*8) | January 24, 2007 | ||
| Cosminexus Application Server Enterprise Version 6 | P-2443-1K64 | 06-00 – 06-51-/G |
Windows | Yes | Yes | Yes | (*8) | January 24, 2007 | |
| P-2443-1C64 | 06-00 – 06-50 |
Yes | Yes | Yes | (*8) | January 24, 2007 | |||
| P-2843-1K64 | 06-00 – 06-51 |
Windows (IPF) |
Yes | Yes | Yes | (*8) | January 24, 2007 | ||
| P-1B43-1K61 | 06-00 – 06-50-/D |
HP-UX | Yes | Yes | Yes | (*8) | January 24, 2007 | ||
| P-1J43-1K61 | 06-00 – 06-50-/C |
HP-UX (IPF) |
Yes | Yes | Yes | (*8) | January 24, 2007 | ||
| P-9D43-1K61 | 06-00 – 06-50-/C |
Solaris | Yes | Yes | Yes | (*8) | January 24, 2007 | ||
| P-9S43-1K61 | 06-00 – 06-51-/C |
Linux | Yes | Yes | Yes | (*8) | January 24, 2007 | ||
| P-9V43-1K61 | 06-00 – 06-51-/B |
Linux (IPF) |
Yes | Yes | Yes | (*8) | January 24, 2007 | ||
| P-1M43-1K61 | 06-00 – 06-50-/E |
AIX | Yes | Yes | Yes | (*8) | January 24, 2007 | ||
| Cosminexus Developer Standard Version 6 | P-2443-1B64 | 06-00 – 06-51-/G |
Windows | Yes | Yes | Yes | (*8) | January 24, 2007 | |
| Cosminexus Developer Professional Version 6 | P-2443-1F64 | 06-00 – 06-51-/G |
Windows | Yes | Yes | Yes | (*8) | January 24, 2007 | |
| Cosminexus Developer Light Version 6 | P-2443-1A64 | 06-00 – 06-51-/G |
Windows | Yes | Yes | Yes | (*8) | January 24, 2007 | |
| Cosminexus Application Server Version 5 | P-2443-1D54 | 05-01 – 05-05-/N |
Windows | Yes | Yes | Yes | (*8) | January 24, 2007 | |
| P-1B43-1B51 | 05-00 – 05-05-/G |
HP-UX | Yes | Yes | Yes | (*8) | January 24, 2007 | ||
| P-9S43-1B51 | 05-05 – 05-05-/G |
Linux | Yes | Yes | Yes | (*8) | January 24, 2007 | ||
| P-1M43-1B51 | 05-00 – 05-05-/L |
AIX | Yes | Yes | Yes | (*8) | January 24, 2007 | ||
| Cosminexus Developer Version 5 | P-2443-1F54 | 05-01 – 05-05-/N |
Windows | Yes | Yes | Yes | (*8) | January 24, 2007 | |
| Cosminexus Server – Standard Edition Version 4 | P-1BZ4-1T41 | 04-01 | HP-UX | Yes | Yes | Yes | (*8) | January 24, 2007 | |
| P-9DZ4-1E41 | 04-01 | Solaris | Yes | Yes | Yes | (*8) | January 24, 2007 | ||
| P-1MZ4-1E41 | 04-01 | AIX | Yes | Yes | Yes | (*8) | January 24, 2007 | ||
| Cosminexus Server – Web Edition Version 4 | P-1BZ4-1S41 | 04-01 | HP-UX | Yes | Yes | Yes | (*8) | January 24, 2007 | |
| P-9DZ4-1D41 | 04-01 | Solaris | Yes | Yes | Yes | (*8) | January 24, 2007 | ||
| Cosminexus Server – Standard Edition | P-1BZ4-1T31 | 03-00 – 03-05 |
HP-UX | Yes | Yes | Yes | (*8) | January 24, 2007 | |
| P-9DZ4-1E31 | 03-00 – 03-05 |
Solaris | Yes | Yes | Yes | (*8) | January 24, 2007 | ||
| Cosminexus Server – Enterprise Edition | P-1BZ4-1U31 | 03-00 – 03-05 |
HP-UX | Yes | Yes | Yes | (*8) | January 24, 2007 | |
| P-9DZ4-1F31 | 03-00 – 03-05 |
Solaris | Yes | Yes | Yes | (*8) | January 24, 2007 | ||
| Cosminexus Server – Web Edition | P-1BZ4-1S31 | 03-00 – 03-05 |
HP-UX | Yes | Yes | Yes | (*8) | January 24, 2007 | |
| P-9DZ4-1D31 | 03-00 – 03-05 |
Solaris | Yes | Yes | Yes | (*8) | January 24, 2007 | ||
| (*7) | Yes: The product is affected by the specified vulnerability. No: The product is not affected by the specified vulnerability. |
| (*8) | For detailed information about this model, contact your Hitachi support service representative. |
For details on the fixed versions, contact your Hitachi support service representative.
Revision history
- January 24, 2007: Information about multiple vulnerabilities of Hitachi Web Server is released.