September 6, 2022
Hitachi, Ltd. IT Platform Products Management Division
Hitachi Disk Array Systems have the following vulnerability.
Hitachi-sec-2022-307
Storage Replication Adapter for Hitachi disk array systems (Hitachi RAID Manager SRA (RMSRA)) has the following vulnerabilities: i) exposure of authentication information and ii) arbitrary command execution.
i) CVE-2022-34882 : Exposure of authentication information
ii)CVE-2022-34883 : Arbitrary command execution
The following table shows the affected products.
Product Name | Hitachi RAID Manager SRA |
---|---|
Software Version |
|
* Product end of support.
** Both SRA for Docker and Windows are affected.
Workaround for vulnerability i):
- Do not use characters other than the usable characters described below for the following information registered in the "Add Array Manager" window of SRM.
<Registered information>
✔ IP address or host name of the RAID Manager server
✔ Username for connecting to the RAID Manager server using SSH
✔ Password for connecting to the RAID Manager server using SSH
<Usable characters>
One-byte alphanumeric characters and the following symbols
Hyphen (-), comma (,), period (.), colon (:), at mark (@), underscore (_), slash (/)
- The password might be already recorded in the SRM log files. Delete the log files by using the following procedure.
Notes:
<Procedure for deleting log files (for Docker RMSRA)>
<Procedure for deleting log files (for Windows RMSRA)>
<Procedure for deleting log (for both Docker/Windows RMSRA)>
If a log transfer setting and the like is configured on the SRM server, run the same check for transferred logs and delete logs as necessary.
Workaround for vulnerability ii):
Closely manage access rights to SRM.
None