CVE-2014-2003
high
CVSS v3
—
CVSS v2
7.6
VIR risk
7.6
Description
JustSystems JUST Online Update, as used in Ichitaro through 2014 and other products, does not properly validate signatures of update modules, which allows remote attackers to spoof modules and execute arbitrary code via a crafted signature.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: vultures@jpcert.or.jp — http://www.justsystems.com/jp/info/js14002.html
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| justsystems | ichitaro | {"endIncluding":"2014"} | |
| justsystems | ichitaro | 10 | |
| justsystems | ichitaro | 11 | |
| justsystems | ichitaro | 12 | |
| justsystems | ichitaro | 13 | |
| justsystems | ichitaro | 2004 | |
| justsystems | ichitaro | 2005 | |
| justsystems | ichitaro | 2006 | |
| justsystems | ichitaro | 2007 | |
| justsystems | ichitaro | 2008 | |
| justsystems | ichitaro | 2009 | |
| justsystems | ichitaro | 2010 | |
| justsystems | ichitaro | 2011 | |
| justsystems | ichitaro | 2012 | |
| justsystems | ichitaro | 2013 | |
| justsystems | just_online_update | - | |
References
- http://jvn.jp/en/jp/JVN50129191/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2014-000053
- http://www.ipa.go.jp/security/ciadr/vul/20140611-jvn.html
- http://www.justsystems.com/jp/info/js14002.html
- http://jvn.jp/en/jp/JVN50129191/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2014-000053
- http://www.ipa.go.jp/security/ciadr/vul/20140611-jvn.html
- http://www.justsystems.com/jp/info/js14002.html
CWEs
CWE-20
Verify integrity in audit chain (admin only). AS-IS.