Hitachi Energy Service Suite – All CISA Advisories
1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Hitachi Energy
- Equipment: Service Suite
- Vulnerabilities: Use of Less Trusted Source, Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’), Integer Overflow or Wraparound, Out-of-bounds Write, Allocation of Resources Without Limits or Throttling, Exposure of Sensitive Information to an Unauthorized Actor, Memory Allocation with Excessive Size Value, Out-of-bounds Read, Uncontrolled Resource Consumption, Improper Resource Shutdown or Release, Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Request/Response Splitting’)
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to compromise the confidentiality, integrity, or availability of affected devices.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Hitachi Energy reports the following products are affected:
- Service Suite: Versions 9.8.1.3 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 Use of Less Trusted Source CWE-348
Apache HTTP Server 2.4.53 and earlier, which is part of the Service Suite product, may not send the X-Forwarded-* headers to the origin server due to the client-side Connection header hop-by-hop mechanism. This vulnerability can be exploited to bypass IP-based authentication on the origin server or application.
CVE-2022-31813 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2022-31813. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’) CWE-444
Some mod_proxy configurations on Service Suite product’s Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP request smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution.
CVE-2023-25690 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-25690. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.3 Integer Overflow or Wraparound CWE-190
Apache HTTP Server 2.4.53 and earlier, which is part of the Service Suite product, may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into making such a call, third-party modules or Lua scripts that use ap_strcmp_match() may hypothetically be affected.
CVE-2022-28615 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2022-28615. A base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.4 Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’) CWE-444
An inconsistent interpretation of HTTP requests (‘HTTP request smuggling’) vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server versions 2.4.54 and prior, which are part of the Service Suite product.
CVE-2022-36760 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.0 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2022-36760. A base score of 9.2 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.5 Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’) CWE-444
An HTTP response smuggling vulnerability exists in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server versions 2.4.30 through 2.4.55, which are part of the Service Suite product. Special characters in the origin response header can truncate or split the response forwarded to the client.
CVE-2023-27522 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2023-27522. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.6 Out-of-bounds Write CWE-787
A carefully crafted If: request header can cause a memory read or write of a single zero byte in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server versions 2.4.54 and earlier, which are part of the Service Suite product.
CVE-2006-20001 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2006-20001. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.7 Allocation of Resources Without Limits or Throttling CWE-770
In Apache HTTP Server 2.4.53 and earlier, which are part of the Service Suite product, a malicious request to a Lua script that calls r:parsebody(0) may cause a denial of service due to the lack of a default limit on possible input size.
CVE-2022-29404 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2022-29404. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.8 Exposure of Sensitive Information to an Unauthorized Actor CWE-200
Apache HTTP Server 2.4.53 and earlier, which is part of the Service Suite product, may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.
CVE-2022-30556 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2022-30556. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.9 Memory Allocation with Excessive Size Value CWE-789
If Apache HTTP Server 2.4.53, which is part of the Service Suite product, is configured to perform transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.
CVE-2022-30522 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2022-30522. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.10 Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’) CWE-444
An inconsistent interpretation of HTTP requests (‘HTTP request smuggling’) vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server versions 2.4.53 and earlier, which are part of the Service Suite product.
CVE-2022-26377 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2022-26377. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.11 Out-of-bounds Read CWE-125
An inconsistent interpretation of HTTP requests (‘HTTP request smuggling’) vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server versions 2.4.53 and earlier, which are part of the Service Suite product.
CVE-2023-31122 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2023-31122. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.12 Uncontrolled Resource Consumption CWE-400
An attacker opening an HTTP/2 connection with an initial window size of 0 can block the handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well-known “slow loris” attack pattern. This issue affects Apache HTTP Server versions 2.4.55 through 2.4.57, which are part of the Service Suite product.
CVE-2023-43622 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2023-43622. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.13 Improper Resource Shutdown or Release CWE-404
When an HTTP/2 stream is reset (RST frame) by a client, there is a time window where the request’s memory resources are not immediately reclaimed. Instead, deallocation is deferred until the connection closes. A client can send new requests and resets, keeping the connection busy and open, causing the memory footprint to keep growing. Upon connection close, all resources are reclaimed, but the process might run out of memory before that. This issue affects Apache HTTP Server versions 2.4.17 through 2.4.57, which are part of the Service Suite product.
CVE-2023-45802 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2023-45802. A base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.14 Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Request/Response Splitting’) CWE-113
In Apache HTTP Server versions prior to 2.4.55, which are part of the Service Suite product, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.
CVE-2022-37436 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2022-37436. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).
3.2.15 Exposure of Sensitive Information to an Unauthorized Actor CWE-200
The ap_rwrite() function in Apache HTTP Server versions 2.4.53 and earlier, which are part of the Service Suite product, may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_lua’s r:puts() function.
CVE-2022-28614 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2022-28614. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.16 Out-of-bounds Read CWE-125
Apache HTTP Server versions 2.4.53 and earlier, which are part of the Service Suite product on Windows, may read beyond bounds when configured to process requests with the mod_isapi module.
CVE-2022-28330 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2022-28330. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Energy
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Switzerland
3.4 RESEARCHER
Hitachi Energy reported these vulnerabilities to CISA.
4. MITIGATIONS
Hitachi Energy recommends affected users update to 9.8.1.4
For more information see the associated Hitachi Energy cybersecurity advisory 8DBD000209.
Hitachi Energy recommends security practices and firewall configurations to help protect process control networks from external attacks. These practices include ensuring that process control systems are physically protected from unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by a firewall system with a minimal number of exposed ports. Each case should be evaluated individually. Process control systems should not be used for Internet surfing, instant messaging, or receiving emails. Portable computers and removable storage media should be carefully scanned for viruses before being connected to a control system. Proper password policies and processes should also be followed.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
- Do not click web links or open attachments in unsolicited email messages.
- Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
- Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY
- May 13, 2025: Initial Republication of Hitachi Energy Advisory 8DBD000209
–
Read More – All CISA Advisories