HCP Multitenancy Vulnerability

Content

Priority: High

Status: Resolved

 

First Published: 23 August 2022 (Original customer Alert published on 31 March 2021)

Advisory Version: 1.0

References: CVE-2021- 28052

 

Summary

In older versions of HCP, a vulnerability in the multitenancy security model could allow unauthorized data access. Specifically:

(1) A tenant administrator may modify the configuration of a namespace in another tenant without authorization, potentially allowing unauthorized access to data in the other tenant. 
(2) A tenant user (non-administrator) may view configuration of a namespace in another tenant without authorization.

In both cases, the unauthorized user must know the Namespace UUID of the targeted namespace.

 

Please see Hitachi Vantara Alert - HCP A2021040101r2 for comprehensive details regarding this vulnerability.

 

Affected Products

Vulnerable Products

Hitachi Vantara is currently investigating its product lines to determine if any are affected by this vulnerability. If any products or solutions are found to be impacted, they will be indicated in this section, in subsequent updates to this advisory, along with information regarding mitigations or fixed release versions (if such information is available at the time). Likewise, any products or solutions that have been confirmed not to be affected by the given vulnerability will be listed in the section below.

NOTE: If cited, product documentation, including product-specific Alerts and Technical Bulletins, are available to Hitachi Vantara customers logged into Support Connect.

 

Product Notes / Fixed Release Version
Content Products
Hitachi Content Platform (HCP)
all versions prior to 8.3.7 or 9.2.3
HCP version 8.3.7 and onward in the 8.x branch, and version 9.2.3 and onward in the 9.x branch, contain the fix for this vulnerability.

Products Confirmed Not Vulnerable

At the time of this advisory's publication, only products listed in the Vulnerable Products section above are confirmed to be affected by this vulnerability.

 

Recommended Actions

If affected, please upgrade HCP to at least version 8.3.7 in the 8.x branch, or at least version 9.2.3 in the 9.x branch. The fix for this vulnerability is contained in these versions, as well as in all subsequent versions of HCP.


If any of the information presented above remains unclear, please contact the Hitachi Vantara Global Support Center, or your Vantara-authorized service and support provider.

The information contained herein is for informational purposes only. It is not intended as a guaranty or warranty about Hitachi Vantara’s products, including any guaranty or warranty that any product cannot be exploited by third parties. All product warranties and obligations to a customer must be specified in a mutually acceptable and executed contract between the parties.

CXone Metadata

CVE,pagetype:knowledgearticle,article:cve

Solution Properties

Keywords
https://knowledge.hitachivantara.com/Security/HCP_Multitenancy_Vulnerability
Solution ID
241403060158510
Last Modified Date
08/20/2024 09:52:49 PM
Attributes
Page Privacy and Permission Assignment
  • Page Privacy: Private
  • Page Level Permissions: Anonymous; Employee; Service Partner; Customer; IT; eServices
  • Article: cve
  • Pagetype: knowledgearticle
Taxonomy
  • Security Advisories > Advisories
Collections
  • Customer
  • Employee
  • Guest (Public)
  • Service Partner
Views
0