Multiple vulnerabilities in Fujitsu M12-1
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2020-13817 CVE-2021-23840 CVE-2021-3326 CVE-2020-8285 |
| CWE-ID | CWE-399 CWE-20 CWE-617 CWE-674 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Fujitsu M12-1 Hardware solutions / Firmware |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Resource management error
EUVDB-ID: #VU26241
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-13817
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to ntpd uses highly predictable timestamps that can allow spoofing attack over IPv4 or a denial of service attack. A remote non-authenticated attacker can modify clock on the client NTP server to terminate it.
Install update from vendor's website.
Vulnerable software versionsFujitsu M12-1: XCP2410 - XCP3110
CPE2.3- cpe:2.3:h:oracle:fujitsu_m12-1:XCP2410:*:*:*:*:*:*:*
- cpe:2.3:h:oracle:fujitsu_m12-1:XCP3110:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpujan2022.html?916978
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU50745
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-23840
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input during EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate calls. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsFujitsu M12-1: XCP2410 - XCP3110
CPE2.3- cpe:2.3:h:oracle:fujitsu_m12-1:XCP2410:*:*:*:*:*:*:*
- cpe:2.3:h:oracle:fujitsu_m12-1:XCP3110:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpujan2022.html?916978
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Reachable Assertion
EUVDB-ID: #VU50075
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-3326
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion within the iconv function in the GNU C Library (aka glibc or libc6) when processing invalid input sequences in the ISO-2022-JP-3 encoding. A remote attacker can pass specially crafted data to the application, trigger an assertion failure and crash the affected application.
Install update from vendor's website.
Vulnerable software versionsFujitsu M12-1: XCP2410 - XCP3110
CPE2.3- cpe:2.3:h:oracle:fujitsu_m12-1:XCP2410:*:*:*:*:*:*:*
- cpe:2.3:h:oracle:fujitsu_m12-1:XCP3110:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpujan2022.html?916978
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Uncontrolled Recursion
EUVDB-ID: #VU48894
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-8285
CWE-ID:
CWE-674 - Uncontrolled Recursion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due tu uncontrolled recursion when processing FTP responses within the wildcard matching functionality, which allows a callback (set
with <a href="https://curl.se/libcurl/c/CURLOPT_CHUNK_BGN_FUNCTION.html">CURLOPT_CHUNK_BGN_FUNCTION</a>) to return information back to libcurl on
how to handle a specific entry in a directory when libcurl iterates over a
list of all available entries. A remote attacker who controls the malicious FTP server can trick the victim to connect to it and crash the application, which is using the affected libcurl version.
Install update from vendor's website.
Vulnerable software versionsFujitsu M12-1: XCP2410 - XCP3110
CPE2.3- cpe:2.3:h:oracle:fujitsu_m12-1:XCP2410:*:*:*:*:*:*:*
- cpe:2.3:h:oracle:fujitsu_m12-1:XCP3110:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpujan2022.html?916978
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
