Hitachi Vantara is trusted by many of the world’s organizations to store and manage their data. We take this responsibility extremely seriously, and we also take seriously our responsibility to immediately address any conditions by which our customers’ data may be put at risk.
One of the products Hitachi Vantara provides is a file synch and sharing technology called Hitachi Content Platform Anywhere (HCP Anywhere). The software enables its users to share large files with people inside or outside their organization via links, with optional password and expiration date protection.
On September 13th we were alerted by one of our customers to a potential vulnerability in our HCP Anywhere software.
Following a swift and thorough investigation, on September 16th our engineering team identified a set of complex and discrete occurrences that could potentially result in a vulnerability if acted upon by a malicious attacker.
Having analyzed these occurrences, Hitachi Vantara engineers quickly developed a script (a simple software program) to mitigate the issue. Hitachi Vantara was able to notify affected customers currently under contract of the availability of the script the next day, Friday, September 17th.
By Saturday September 18th, Hitachi Vantara engineers had developed a permanent solution to resolve the issue, and upon testing and verification of the fix on Hitachi Vantara’s own instances of HCP Anywhere, the fix was communicated to customers under contract on Sunday September 19th, in accordance with normal alert protocols.
How could something like this happen?
Software development is a complex craft and regrettably software bugs can happen. Hitachi Vantara follows an extensive set of quality assurance processes for software development in general. For security vulnerabilities, we follow a multi-phase set of processes that is designed to eliminate security vulnerabilities. This includes ‘Threat Modeling’, ‘Static Code Scanning’, ‘Dynamic Code Scanning’ and ‘Penetration Testing’.
With all these detection measures in place, why did this vulnerability go undetected? In this case, a complex set of discrete conditions had to occur in a specific sequence to reveal the vulnerability.
Hitachi Vantara, like most software companies, tests its software extensively before it is released for general availability, but a complex vulnerability scenario such as this remains one of the most difficult to detect. Nevertheless, customers can be assured that we are resolute in our commitment to delivering highly trustworthy products, and that we will never stop enhancing our quality assurance processes.