Hitachi JP1/PM Windows: Incorrect Default Permissions for File Manipulation
CVE-2023-3440 Published on October 3, 2023
File and Directory Permission Vulnerability in JP1/Performance Management
Incorrect Default Permissions vulnerability in Hitachi JP1/Performance Management on Windows allows File Manipulation.This issue affects JP1/Performance Management - Manager: from 09-00 before 12-50-07; JP1/Performance Management - Base: from 09-00 through 10-50-*; JP1/Performance Management - Agent Option for Application Server: from 11-00 before 11-50-16; JP1/Performance Management - Agent Option for Enterprise Applications: from 09-00 before 12-00-14; JP1/Performance Management - Agent Option for HiRDB: from 09-00 before 12-00-14; JP1/Performance Management - Agent Option for IBM Lotus Domino: from 10-00 before 11-50-16; JP1/Performance Management - Agent Option for Microsoft(R) Exchange Server: from 09-00 before 12-00-14; JP1/Performance Management - Agent Option for Microsoft(R) Internet Information Server: from 09-00 before 12-00-14; JP1/Performance Management - Agent Option for Microsoft(R) SQL Server: from 09-00 before 12-50-07; JP1/Performance Management - Agent Option for Oracle: from 09-00 before 12-10-08; JP1/Performance Management - Agent Option for Platform: from 09-00 before 12-50-07; JP1/Performance Management - Agent Option for Service Response: from 09-00 before 11-50-16; JP1/Performance Management - Agent Option for Transaction System: from 11-00 before 12-00-14; JP1/Performance Management - Remote Monitor for Microsoft(R) SQL Server: from 09-00 before 12-50-07; JP1/Performance Management - Remote Monitor for Oracle: from 09-00 before 12-10-08; JP1/Performance Management - Remote Monitor for Platform: from 09-00 before 12-10-08; JP1/Performance Management - Remote Monitor for Virtual Machine: from 10-00 before 12-50-07; JP1/Performance Management - Agent Option for Domino: from 09-00 through 09-00-*; JP1/Performance Management - Agent Option for IBM WebSphere Application Server: from 09-00 through 10-00-*; JP1/Performance Management - Agent Option for IBM WebSphere MQ: from 09-00 through 10-00-*; JP1/Performance Management - Agent Option for JP1/AJS3: from 09-00 through 10-00-*; JP1/Performance Management - Agent Option for OpenTP1: from 09-00 through 10-00-*; JP1/Performance Management - Agent Option for Oracle WebLogic Server: from 09-00 through 10-00-*; JP1/Performance Management - Agent Option for uCosminexus Application Server: from 09-00 through 10-00-*; JP1/Performance Management - Agent Option for Virtual Machine: from 09-00 through 09-01-*.
Vulnerability Analysis
CVE-2023-3440 is exploitable with local system access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Incorrect Default Permissions
During installation, installed file permissions are set to allow anyone to modify those files.
Affected Versions
Hitachi JP1/Performance Management - Manager:- Version 09-00 and below 11-50 is affected.
- Version 11-50 and below 11-50-16 is affected.
- Version 12-00 and below 12-00-14 is affected.
- Version 12-10 and below 12-10-08 is affected.
- Version 12-50 and below 12-50-07 is affected.
- Version 09-00, <= 10-50-* is affected.
- Version 11-00 and below 11-50-16 is affected.
- Version 09-00 and below 11-50 is affected.
- Version 11-50 and below 11-50-16 is affected.
- Version 12-00 and below 12-00-14 is affected.
- Version 09-00 and below 11-50 is affected.
- Version 11-50 and below 11-50-16 is affected.
- Version 12-00 and below 12-00-14 is affected.
- Version 10-00 and below 11-50-16 is affected.
- Version 09-00 and below 11-50 is affected.
- Version 11-50 and below 11-50-16 is affected.
- Version 12-00 and below 12-00-14 is affected.
- Version 09-00 and below 11-50 is affected.
- Version 11-50 and below 11-50-16 is affected.
- Version 12-00 and below 12-00-14 is affected.
- Version 09-00 and below 11-50 is affected.
- Version 11-50 and below 11-50-16 is affected.
- Version 12-00 and below 12-00-14 is affected.
- Version 12-50 and below 12-50-07 is affected.
- Version 09-00 and below 11-50 is affected.
- Version 11-50 and below 11-50-16 is affected.
- Version 12-00 and below 12-00-14 is affected.
- Version 12-10 and below 12-10-08 is affected.
- Version 09-00 and below 11-50 is affected.
- Version 11-50 and below 11-50-16 is affected.
- Version 12-00 and below 12-00-14 is affected.
- Version 12-50 and below 12-50-07 is affected.
- Version 09-00 and below 11-50-16 is affected.
- Version 11-00 and below 11-50-16 is affected.
- Version 12-00 and below 12-00-14 is affected.
- Version 09-00 and below 11-50 is affected.
- Version 11-50 and below 11-50-16 is affected.
- Version 12-00 and below 12-00-14 is affected.
- Version 12-50 and below 12-50-07 is affected.
- Version 09-00 and below 11-50 is affected.
- Version 11-50 and below 11-50-16 is affected.
- Version 12-00 and below 12-00-14 is affected.
- Version 12-10 and below 12-10-08 is affected.
- Version 09-00 and below 11-50 is affected.
- Version 11-50 and below 11-50-16 is affected.
- Version 12-00 and below 12-00-14 is affected.
- Version 12-10 and below 12-10-08 is affected.
- Version 10-00 and below 11-50 is affected.
- Version 11-50 and below 11-50-16 is affected.
- Version 12-00 and below 12-00-14 is affected.
- Version 12-10 and below 12-10-08 is affected.
- Version 12-50 and below 12-50-07 is affected.
- Version 09-00, <= 09-00-* is affected.
- Version 09-00, <= 10-00-* is affected.
- Version 09-00, <= 10-00-* is affected.
- Version 09-00, <= 10-00-* is affected.
- Version 09-00, <= 10-00-* is affected.
- Version 09-00, <= 10-00-* is affected.
- Version 09-00, <= 10-00-* is affected.
- Version 09-00, <= 09-01-* is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.