Toshiba Commerce Solutions Affected

Notified:  August 06, 2014 Updated: June 02, 2015

Statement Date:   June 01, 2015

Status

Affected

Vendor Statement

VU#301788 #1 CHEC Response Vulnerability ID: VU#301788 Vulnerability #1 Vulnerability Name: Toshiba Checkout Environment for Consumer-Service – CHEC contains hardcoded DB2 password Overview Toshiba Global Commerce Solutions’ self checkout application CHEC contains a file on the Client (Lane) systems that can be de-compiled to obtain a DB2 password for the CHEC’s Back Office System Server (BOSS). Description Toshiba Global Commerce Solution’s self checkout application CHEC contains a file on the Client (Lane) systems that can be de-compiled to obtain a DB2 password for the CHEC’s Back Office System Server (BOSS). The jar file has hard-coded values that can be obtained and then used in conjunction with the logic in the jar file to decrypt the userid and password for the DB2 database on the BOSS. Impact An attacker could use the DB2 password to corrupt the database on the BOSS and prevent the Lanes from functioning properly. No sensitive data can be accessed. Solution The previously-mentioned jar file is not actually used by the Lane and has been removed in later releases of the Lane software. Install the latest version of the Lane Application to delete the relevant file. CHEC 6.6 fixed in build level 4014 or higher CHEC 6.7 fixed in build level 4329 or higher Vendor Information Vendor Status Date Notified Date Updated Toshiba Global Commerce Solutions

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Addendum

Toshiba CHEC versions prior to 6.6 build level 4014 and 6.7 build level 4329 are affected.