When a logical J2EE server or a logical user server is started from Cosminexus Manager in Cosminexus Application Server,
sometimes the group permissions of another user are granted to the activated server process.
As a result, the process might be able to access files and directories illegally.
Vulnerability description
When either of the following logical servers are started from Cosminexus Manager in Cosminexus Application Server, sometimes the group permissions of another user are granted to the activated server process:
- Logical J2EE server
-
The above problem occurs if the Component Container administrator has been registered and the logical J2EE server process is started from the management server. For logical J2EE servers, the affected Cosminexus versions are 06-50 and later.
- Logical user server
- The above problem occurs if user-id tags and group-id tags have been set in the user server definition file,
and the logical user server process is started from the management server.
For logical user servers, the affected Cosminexus versions are 07-00 and later.
Affected products and versions are listed below. Please upgrade your version to the appropriate version.
Fixed products
The information is organized under the following headings:
(Example)
Product name: Gives the name of the fixed product.
Version:
- Platform
- Gives the fixed version, and release date.
Scheduled version:
- Platform
- Gives the fixed version scheduled to be released.
Product name(*2): uCosminexus Application Server Standard
Product name(*2): uCosminexus Application Server Enterprise
Version(s)(*4)(*5):
- Linux(IPF)
- 07-10-01 May 21, 2007
Fixed component product name(*4)(*5):
- Cosminexus Component Container
Fixed component product version(s)(*4)(*5):
- Linux
- 07-00-12 April 2, 2007
- 07-10-06 March 29, 2007
- AIX
- 07-00-12 April 2, 2007
- 07-10-06 March 29, 2007
- Solaris
- 07-00-12 May 23, 2007
- HP-UX
- 07-10-08 June 1, 2007
- Linux(IPF)
- 07-10-06 March 27, 2007
- HP-UX(IPF)
- 07-00-12 May 23, 2007
- 07-10-08 June 1, 2007
Product name(*2): uCosminexus Service Platform
Fixed component product name(*4)(*5):
- Cosminexus Component Container
Fixed component product version(s)(*4)(*5):
- Linux
- 07-00-12 April 2, 2007
- 07-10-06 March 29, 2007
- AIX
- 07-10-06 March 29, 2007
Product name: uCosminexus Application Server Standard
Product name: uCosminexus Application Server Enterprise
Version(s)(*4):
- Linux
- 06-71-/C May 21, 2007
- AIX
- 06-70-/E April 2, 2007
- Linux(IPF)
- 06-70-/C June 5, 2007
- HP-UX(IPF)
- 06-70-/I May 29, 2007
- Solaris
- 06-70-/D September 20, 2007
- HP-UX
- 06-70-/D November 1, 2007
- 06-72-/B October 15, 2007
Product name: Cosminexus Application Server Standard Version 6
Product name: Cosminexus Application Server Enterprise Version 6
Version(s)(*4):
- Linux
- 06-51-/D May 7, 2007
- AIX
- 06-50-/G June 21, 2007
Product name(*3): Electronic Form Workflow - Standard Set
Product name(*3): Electronic Form Workflow - Professional Library Set
Fixed component product name(*4)(*5):
- Cosminexus Component Container
Fixed component product version(s)(*4)(*5):
- Linux
- 07-00-12 April 2, 2007
For details on the fixed products, contact your Hitachi support service representative.
- *2
- If your system uses any of these products, apply either the fixed version of the product or the fixed Cosminexus Component Container version, which is a component product of these products.
For details about the required fixed version of Cosminexus Component Container, contact your Hitachi support service representative.
- *3
- If your system uses any of these products, apply the fixed Cosminexus Component Container version,
which is a component product of these products.
For details about the required fixed version of Cosminexus Component Container, contact your Hitachi support service representative.
- *4
- After the fixed version is applied, the logical J2EE server process is only assigned the permissions of the Component Container administrators group and any user groups to which the Component Container administrator belongs.
If your J2EE application requires the use of other permissions, an unexpected error might occur.
- *5
- After the fixed version is applied, the logical user server process is only assigned the permissions of the user groups set in the group-id tags and the user groups to which the user set in the user-id tag belongs.
If your user application requires the use of other permissions, an unexpected error might occur.