CVE-2017-6022 - OpenCVE

A hard-coded password issue was discovered in Becton, Dickinson and Company (BD) PerformA, Version 2.0.14.0 and prior versions, and KLA Journal Service, Version 1.0.51 and prior versions. They use hard-coded passwords to access the BD Kiestra Database, which could be leveraged to compromise the confidentiality of limited PHI/PII information stored in the BD Kiestra Database.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Bd	Performa Kla Journal Service

Configuration 1 [-]

cpe:2.3:a:bd:performa:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:bd:kla_journal_service:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/97057	Third Party Advisory VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSMA-17-082-01	Mitigation Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2017-06-30T02:35:00

Updated: 2017-06-30T09:57:01

Reserved: 2017-02-16T00:00:00

Link: CVE-2017-6022

JSON object: View

NVD Information

Status : Modified

Published: 2017-06-30T03:29:00.297

Modified: 2019-10-09T23:28:34.480

Link: CVE-2017-6022

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "BD Kiestra PerformA and KLA Journal Service", "vendor": "n/a", "versions": [{"status": "affected", "version": "BD Kiestra PerformA and KLA Journal Service"}]}], "datePublic": "2017-06-29T00:00:00", "descriptions": [{"lang": "en", "value": "A hard-coded password issue was discovered in Becton, Dickinson and Company (BD) PerformA, Version 2.0.14.0 and prior versions, and KLA Journal Service, Version 1.0.51 and prior versions. They use hard-coded passwords to access the BD Kiestra Database, which could be leveraged to compromise the confidentiality of limited PHI/PII information stored in the BD Kiestra Database."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-259", "description": "CWE-259", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2017-06-30T09:57:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-082-01"}, {"name": "97057", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/97057"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2017-6022", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "BD Kiestra PerformA and KLA Journal Service", "version": {"version_data": [{"version_value": "BD Kiestra PerformA and KLA Journal Service"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A hard-coded password issue was discovered in Becton, Dickinson and Company (BD) PerformA, Version 2.0.14.0 and prior versions, and KLA Journal Service, Version 1.0.51 and prior versions. They use hard-coded passwords to access the BD Kiestra Database, which could be leveraged to compromise the confidentiality of limited PHI/PII information stored in the BD Kiestra Database."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-259"}]}]}, "references": {"reference_data": [{"name": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-082-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-082-01"}, {"name": "97057", "refsource": "BID", "url": "http://www.securityfocus.com/bid/97057"}]}}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2017-6022", "datePublished": "2017-06-30T02:35:00", "dateReserved": "2017-02-16T00:00:00", "dateUpdated": "2017-06-30T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bd:performa:*:*:*:*:*:*:*:*", "matchCriteriaId": "25B4C3F5-D413-4CE5-9C68-B7FCF686F54D", "versionEndIncluding": "2.0.14.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bd:kla_journal_service:*:*:*:*:*:*:*:*", "matchCriteriaId": "2920987E-49B3-4BDB-BC2B-7BD23CE01457", "versionEndIncluding": "1.0.51", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A hard-coded password issue was discovered in Becton, Dickinson and Company (BD) PerformA, Version 2.0.14.0 and prior versions, and KLA Journal Service, Version 1.0.51 and prior versions. They use hard-coded passwords to access the BD Kiestra Database, which could be leveraged to compromise the confidentiality of limited PHI/PII information stored in the BD Kiestra Database."}, {"lang": "es", "value": "Se ha descubierto un problema de contrase\u00f1a embebida en Becton, Dickinson and Company (BD) PerformA, en su versi\u00f3n 2.0.14.0 y anteriores, y KLA Journal Service, en su versi\u00f3n 1.0.51 y anteriores. Ambos emplean contrase\u00f1as embebidas para acceder a la base de datos BD Kiestra, lo que podr\u00eda aprovecharse para comprometer la confidencialidad de la informaci\u00f3n PHI/PII limitada almacenada en la base de datos BD Kiestra."}], "id": "CVE-2017-6022", "lastModified": "2019-10-09T23:28:34.480", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-06-30T03:29:00.297", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/97057"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSMA-17-082-01"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-259"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}