hitachi-sec-2021-604 : Hitachi Content Platform Information Disclosure Vulnerability

Last Update: September 20, 2022

1. Overview

Vulnerabilitiy has been found in Hitachi Vantara - Hitachi Content Platform.

CVE-2021-28052: Hitachi Content Platform Information Disclosure Vulnerability
A tenant administrator Hitachi Content Platform (HCP) may modify the configuration in another tenant without authorization, potentially allowing unauthorized access to data in the other tenant. Also, a tenant user (non-administrator) may view configuration in another tenant without authorization. In both cases, the unauthorized user must know the Namespace UUID of the targeted namespace.

2. Affected Systems

• Hitachi Vantara - Hitachi Content Platform prior to 8.3.7 and 9.2.3
  { "version": { "and": { "lessThan": "cpe:2.3:a:hitachi:vantara_content_platform:8.3.7" }}}
  { "version": { "and": { "lessThan": "cpe:2.3:a:hitachi:vantara_content_platform:9.2.3" }}}

3. Impact

Information Disclosure

4. Solution

Users and administrators are encouraged to upgrade to fixed version.

• HCP Multitenancy Vulnerability
  https://knowledge.hitachivantara.com/Security/HCP_Multitenancy_Vulnerability
• Alert - HCP A2021040101
  https://support.hitachivantara.com/en/user/tech-tips/2021april/A2021040101.html
• Content Platform - Hitachi Vantara Knowledge
  https://www.hitachivantara.com/en-us/products/storage/object-storage/content-platform-anywhere.html

5. References

• CVE-2021-28052
  https://www.cve.org/CVERecord?id=CVE-2021-28052

6. Update history

September 20, 2022

• This webpage was newly created and published.

Masato Terada (HIRT), Naoko Ohnishi (HIRT) and Brian Williams (Hitachi Vantara)

• page top