Vulnerabilities in Certain Versions of Hitachi Device Manager, Hitachi Configuration Manager, and Hitachi Ops Center API Configuration Manager
Priority: ● High
Status: Resolved (fixed versions available)
First Published: July 12th, 2023
Advisory Version: 1.0
References: CVE-2022- 28331, CVE-2021- 25147
Summary
Vulnerabilities in the Apache Portable Runtime and Apache Portable Runtime Utility, as documented in CVE-2022- 28331 and CVE-2021- 25147, have been found to affect certain versions of the following Hitachi Vantara software products:
* Hitachi Device Manager (HDvM)
* Hitachi Configuration Manager (HCM)
* Hitachi Ops Center API Configuration Manager (formerly known as Hitachi Configuration Manager)
(Please refer to the table below for affected versions.)
If successfully exploited, these vulnerabilities could result in service outages, data leaks, or data tampering.
Affected Products
Vulnerable Products
Hitachi Vantara is currently investigating its product lines to determine if any are affected by this vulnerability. If any products or solutions are found to be impacted, they will be indicated in this section, in subsequent updates to this advisory, along with information regarding mitigations or fixed release versions (if such information is available at the time). Likewise, any products or solutions that have been confirmed not to be affected by the given vulnerability will be listed in the section below.
NOTE: If cited, product documentation, including product-specific Alerts and Technical Bulletins, are available to Hitachi Vantara customers logged into Support Connect.
| Product | Notes / Fixed Release Version |
| Software Products |
| Hitachi Device Manager (HDvM) (v8.5.1-00 to earlier than v8.6.5-00) |
Product reaches end of support on October 5th, 2023. Upgrading to a fixed version of Hitachi Ops Center Administrator is recommended. |
| Hitachi Configuration Manager (HCM) (v8.5.1 or later) |
HCM was redesignated Hitachi Ops Center API Configuration Manager after HCM v8.6.7. Please upgrade to a fixed version of HOC API Configuration Manager. |
| Hitachi Ops Center API Configuration Manager (10.0.0-00 to earlier than 10.9.2-01) |
CVE-2022-28331: fixed in v10.9.2-01 CVE-2022-25147: fixed in v10.9.2-01 |
Recommended Actions
If running an affected version of Hitachi Ops Center API Configuration Manager, please upgrade to v10.9.2-01 or later.
Hitachi Configuration Manager was redesignated Hitachi Ops Center API Configuration Manager after HCM v8.6.7. If running an affected version of HCM, please upgrade to a fixed version of HOC API Configuration Manager.
If running an affected version of Hitachi Device Manager (HDvM), upgrading to a fixed version of Hitachi Ops Center Administrator is recommended as HDvM reaches end-of-support on October 5th, 2023.
If any of the information presented above remains unclear, please contact the Hitachi Vantara Global Support Center, or your Vantara-authorized service and support provider.
The information contained herein is for informational purposes only. It is not intended as a guaranty or warranty about Hitachi Vantara’s products, including any guaranty or warranty that any product cannot be exploited by third parties. All product warranties and obligations to a customer must be specified in a mutually acceptable and executed contract between the parties.