Vulnerability in OpenSSL: c rehash Script Could Allow Command Injection
Priority: ● High
Status: In Progress - Undergoing Analysis
First Published: 2022 June 23
Advisory Version: 1.1
References: CVE-2022-1292
Summary
A vulnerability has been identified in the "c_rehash" script used by OpenSSL which could allow an attacker to execute arbitrary commands with elevated privileges. The vulnerability stems from the script potentially allowing command injection via shell meta characters.
This vulnerability has since been fixed in OpenSSL 3.0.3, OpenSSL 1.1.1o, and OpenSSL 1.0.2ze.
Affected OpenSSL versions:
OpenSSL 3.0.0, 3.0.1, and 3.0.2
OpenSSL 1.1.1 - 1.1.1n
OpenSSL 1.0.2 - 1.0.2zd
Affected Products
Vulnerable Products
Hitachi Vantara is currently investigating its product lines to determine if any are affected by this vulnerability. If any products or solutions are found to be impacted, they will be indicated in this section, in subsequent updates to this advisory, along with information regarding mitigations or fixed release versions (if such information is available at the time). Likewise, any products or solutions that have been confirmed not to be affected by this vulnerability will be listed in the section below.
NOTE: Cited product documentation, including product-specific Alerts and Technical Bulletins, are available to Hitachi Vantara customers logged into Support Connect.
| Product | Notes / Fixed Release Version |
| Software Products |
| Hitachi Ops Center Analyzer (Viewpoint), |
Affected version of OpenSSL is indirectly employed via Kong. Remediation is under investigation. (Version of OpenSSL embedded in application is not affected as c_rehash script is not used.) |
| Content Products |
| Content Intelligence (HCI) | HCI will resolve this by pulling in OpenSSL 1.1.1o in HCI v2.2 scheduled to be released in September 2022 |
| Data Protector (HDID) | Affected. Will be resolved in a future release (TBD) |
| HCP for Cloud Scale (HCP CS) | Affected. Will be resolved in a future release (TBD) |
| Content Platform Gateway | Affected. Will be resolved in a future release (TBD) |
| Hitachi Content Software for File (HCSF) | Affected. Will be resolved in a future release (TBD) |
Products Confirmed Not Vulnerable
* As this is an ongoing investigation across all Hitachi Vantara product lines, please note that products may be reclassified as vulnerable as they continue to be evaluated for risk.
| Product | Notes |
| Storage Systems |
| Hitachi Virtual Storage Platform VSP E990, VSP E790, VSP E590 | Not affected c_rehash script not used |
| Hitachi Virtual Storage Platform VSP F/G350, VSP F/G370, VSP F/G700, VSP F/G900 | Not affected c_rehash script not used |
| Hitachi Virtual Storage Platform VSP G200, VSP F/G/N400, VSP F/G/N600, VSP F/G/N800 | Not affected c_rehash script not used |
| Hitachi Virtual Storage Platform VSP 5100, VSP 5100H, VSP 5500, VSP 5500H (VSP 5x00) RAID 900 |
Not affected c_rehash script not used |
| Hitachi Virtual Storage Platform VSP 5200, VSP 5200H, VSP 5600, VSP 5600H (VSP 5x00) RAID 900 |
Not affected c_rehash script not used |
| Hitachi Virtual Storage Platform G1000, F/G1500 (VSP F/G1x00) RAID 800 |
Not affected c_rehash script not used |
| Hitachi Virtual Storage Platform (VSP) RAID 700 | Not affected c_rehash script not used |
| Hitachi Unified Storage VM (HUS VM) HM700 | Not affected c_rehash script not used |
| Hitachi Adaptable Modular Storage DF800S, DF800M, DF800H (AMS 2x00) | Not affected c_rehash script not used |
| Hitachi Unified Storage DF850XS, DF850S, DF850MH (HUS 1x0) | Not affected c_rehash script not used |
| Content Products |
| Content Platform (HCP) | Not affected c_rehash script not used |
| Content Platform S Series (HCPS) | Not affected c_rehash script not used |
| Hitachi Data Ingestor (HDI) | Not affected c_rehash script not used |
| Hitachi File Services Manager (HFSM) | Not affected c_rehash script not used |
| Content Platform Anywhere (HCP Anywhere) | Not affected. OpenSSL version used is not vulnerable. |
| Software Products |
| Hitachi Remote Ops (HRO) | Not affected OpenSSL not used |
| Hitachi Ops Center Administrator (formerly HSA) |
Not affected c_rehash script is not used, or is not configured to be executed automatically by the OS. |
| Hitachi Ops Center Analyzer (Probe) |
Not affected c_rehash script not in library |
| Hitachi Ops Center Analyzer (Server), Analyzer (RAID Agent) |
Not affected c_rehash script is not used, or is not configured to be executed automatically by the OS. |
| Hitachi Ops Center Analyzer (Detail View), Analyzer (Windows Probe), Analyzer (Virtual Storage Software - Agent) |
Not affected OpenSSL not used |
| Hitachi Ops Center Automator |
Not affected c_rehash script is not used, or is not configured to be executed automatically by the OS. |
| Hitachi Device Manager (HDvM) Server |
Not affected c_rehash script not in library |
| Hitachi Device Manager (HDvM) HDC, Agent |
Not affected OpenSSL not used |
| Hitachi Tuning Manager (HTnM) Server, Agents (including RAID Agent) |
Not affected c_rehash script is not used or included, or is not configured to be executed automatically by the OS. |
| Hitachi Replication Manager (HRpM) | Not affected c_rehash script is not used, or is not configured to be executed automatically by the OS. |
| Hitachi Tiered Storage Manager (HTSM) | Not affected c_rehash script is not used, or is not configured to be executed automatically by the OS. |
| Hitachi Dynamic Link Manager (HDLM) | Not affected OpenSSL not used |
| Hitachi Global Link Manager (HGLM) | Not affected c_rehash script is not used, or is not configured to be executed automatically by the OS. |
| Hitachi Compute Systems Manager (HCSM) | Not affected c_rehash script is not used, or is not configured to be executed automatically by the OS. |
| Hitachi Automation Director (HAD) | Not affected c_rehash script is not used, or is not configured to be executed automatically by the OS. |
| Hitachi Infrastructure Analytics Advisor (HIAA) Server, RAID Agent |
Not affected c_rehash script is not used, or is not configured to be executed automatically by the OS. |
| Hitachi Infrastructure Analytics Advisor (HIAA) Analytics Probe |
Not affected c_rehash script not in library |
| Hitachi Infrastructure Analytics Advisor (HIAA) DCA, Windows Probe |
Not affected OpenSSL not used |
| Hitachi Configuration Manager (HCM) | Not affected c_rehash script is not used, or is not configured to be executed automatically by the OS. |
| Hitachi Configuration Manager (HCM) REST API |
Not affected c_rehash script is not used, or is not configured to be executed automatically by the OS. |
Recommended Actions
Please continue to check this Security Advisory, as new information will be added to it as it becomes available.
If any of the information presented above remains unclear, please contact the Hitachi Vantara Global Support Center, or your Vantara-authorized service and support provider.
The information contained herein is for informational purposes only. It is not intended as a guaranty or warranty about Hitachi Vantara’s products, including any guaranty or warranty that any product cannot be exploited by third parties. All product warranties and obligations to a customer must be specified in a mutually acceptable and executed contract between the parties.