Skip to main content
Contact Sales

Hitachi Vantara Security Advisories

Security Advisories

Advisory TitleCVE References
Terrapin Attack: CVE-2023-48795CVE-2023-48795
Vulnerability in Older Versions of Hitachi Storage Plug-in for VMware vCenterCVE-2024-21840
Apache Struts Remote Code Execution VulnerabilityCVE-2023-50164
PostgreSQL VulnerabilitiesCVE-2018-1058CVE-2019-9193CVE-2020-1720CVE-2020-14350CVE-2020-25694CVE-2020-25695CVE-2020-25696CVE-2021-3393CVE-2021-20229CVE-2021-32027
Open SSH Version Prior to 9.3p2 are Susceptible to a Vulnerability That May Lead to a DOS AttackCVE-2023-38408
OpenSSL Security VulnerabilitiesCVE-2023-0286CVE-2023-0215CVE-2022-4450CVE-2022-4304CVE-2022-0778CVE-2021-3712CVE-2021-3711
Apache Tomcat Incomplete Cleanup VulnerabilityCVE-2023-42794
Apache ActiveMQ Remote Code Execution VulnerabilityCVE-2023-46604
Hitachi Vantara Ops Center Analyzer Viewpoint Open SSL Vulnerability (CVE-2023-5363)CVE-2023-5363
Curl and Libcurl VulnerabilitiesCVE-2023-38545CVE-2023-38546
Heap Buffer Overflow Vulnerabilties in Libwebp and LibvpxCVE-2023-4863CVE-2023-5217
A NETBIOS_SMB Share Password is the Default or Null or MissingCVE-1999-0519
SSL_Security_Vulnerabilities_in_Hitachi_Content_Intelligence_(HCI)_v2.2.2CVE-2022-4304CVE-2023-0215, CVE-2023-0286CVE-2023-0464CVE-2023-0465CVE-2023-0466CVE-2022-4450CVE-2023-0215CVE-2023-0286CVE-2022-3996CVE-2022-4203CVE-2023-0216CVE-2023-0217CVE-2023-0401
Unsecured_Apache_Stark_Standalone_Executes_User_CodeCVE-2018-17190
Vulnerabilities in Certain Versions of Hitachi Device Manager, Hitachi Configuration Manager, and Hitachi Ops Center API Configuration ManagerCVE-2022- 28331CVE-2021- 25147
Certain mod_proxy Configurations on Versions of Apache HTTP Server Could Allow Unauthorized AccessCVE-2023-25690
Netlogon RPC Elevation of Privilege VulnerabilityCVE-2022-38023
Vulnerability in JsonWebTokenCVE-2022-23529
MegaRAC BMC Vulnerabilities Affecting Compute ServersCVE-2022-40259CVE-2022-40242CVE-2022-2827
Vulnerabilities in Hitachi RAID Manager Storage Replication Adapter (SRA)CVE-2022-34882CVE-2022-34883
OpenSSL 3.0.x Vulnerabilities: CVE-2022-3602 & CVE-2022-3786CVE-2022-3602CVE-2022-3786
"Text4Shell" - Remote Code Execution Vulnerability in Apache Commons Text LibraryCVE-2022-42889
HCP Multitenancy VulnerabilityCVE-2021- 28052
Vulnerability in OpenSSL: c rehash Script Could Allow Command InjectionCVE-2022-1292
Apache Kafka Security VulnerabilitiesCVE-2022-23307CVE-2022-23305CVE-2022-23302CVE-2019-17571CVE-2020-9488 
"Spring4Shell" - RCE Vulnerabilities in Spring Framework and Spring Cloud FunctionCVE-2022-22965CVE-2022-22963CVE-2022-22950
Denial of Service Vulnerability in Several Versions of OpenSSLCVE-2022-0778
Vulnerability in Versions of Samba Prior to 4.13.17 Could Allow a Remote Attacker to Execute Arbitrary CodeCVE-2021-44142
PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s "pkexec"CVE-2021-4034
Multiple Security Vulnerabilities in Apache Log4j LibraryCVE-2021-44228CVE-2021-45046CVE-2021-45105CVE-2021-44832
Hitachi Content Platform Anywhere (HCP-AW) 4.4.5 and Later Allows Information DisclosureCVE-2021-41573

What Are Hitachi Vantara’s Product Security Certifications?

Question

What are the current Hitachi Vantara product security certifications?

Environment

Hitachi Vantara applicable products listed in the Answer table below

Answer

FIPS 140-2 is still valid up to 2026. We are working on obtaining FIPS 140-3 for next-generation models. 

Common Criteria in on the roadmap for next-generation Virtual Storage Platform One.

ProductModuleFIPS    Common Criteria IPv6 
  197140-2 Level 1 140-2 Level 2 EAL2EAL2+CoreUSGv6
  Cert#Cert#Sunset Date
Cert#

Sunset Date    
5x00eDKBN(NVMe)#C1593n/a #38031/27/2026   83-04-00
 eDKB(SAS)#3305n/a #3278    83-04-00
F1500eDKA(SAS)#2787#2386Historical#2727Historical  02-C-00132480-01-22
G1500eDKA(SAS)#2787#2386Historical#2727Historical  02-C-00132480-01-22
G1000eDKA(SAS)#2787#2386Historical#2727Historical  02-C-00132480-01-22
VSPn/a#1553n/a n/a #C0315 02-C-001326 
E1090 #C1593n/a #38031/27/2026    
 eDKB(SAS)
#3305n/a #32789/3/2023    
E990 #C1593n/a #38031/27/2026    
E590/790 #A1290#4194 n/a     
 eDKB(SAS)
#3305n/a #41831/27/2026    
G150/350/370 #3305#32799/3/2023n/a     
F350/370 #3305#32799/3/2023n/a     
G700/900eDKB(SAS)

#3305n/a #32789/3/2023    
F700/900eDKB(SAS)
#3305n/a #32789/3/2023    
G400/600/800eDKB(SAS)
#3305n/a #2462Historical  02-C-00138483-01-04
G200 #3305#2694Historicaln/a   02-C-00138483-01-04
HUS VMeDKB(SAS)
#2787#2232Historicaln/a  #C051302-C-001332 
HUS 150eDKB(SAS)
#2787#2232Historicaln/a #C0419   
HCP - Cloudscale  #42398/22/2024n/a     

Hitachi Vantara Vulnerability Disclosure Policy

1. Policy Introduction & Policy Purpose

The purpose of this policy is to establish a method all Hitachi Vantara customers and external stakeholders should follow to report any potential vulnerabilities and threats.

This policy’s objective is to ensure Hitachi Vantara’s customers trust by continuously addressing potential vulnerabilities and threats to reduce potential risks that may have an impact to Hitachi Vantara operations, infrastructure, and services.

2. Scope

This policy applies to all divisions and geographies, unless noted otherwise within this document, and is intended for all employees with a direct or indirect relationship with customers and third parties to whom Hitachi Vantara does business.

The following situations are excluded from this policy:

  • When a Hitachi Vantara customer or third-party requests actions beyond a valid contract extension.

3. Process to report potential vulnerabilities and threats

3.1. Any Hitachi Vantara customer or third party may submit a report to notify about potential vulnerabilities or threats. A report submission should include the following information, but not limited to:

  • Details of affected Hitachi Vantara product or solution
  • Versions of software and/or microcode of Hitachi Vantara components
  • A detailed description of the identified vulnerability or threat, and
  • Any other relevant information such as evidence or proof of concept, where the identified vulnerability is already published, and where the individual reporting is committed to coordinated disclosure.

3.2. Contact information to report any potential vulnerability or threat:

  • When a potential security vulnerability in Hitachi Vantara’s products is discovered, customers or third parties are encouraged to report the vulnerability by contacting Hitachi Vantara’s Global Support Center (GSC).
  • The GSC team will work in conjunction with Hitachi Vantara’s Cybersecurity team to investigate the issue in accordance with customer contract requirements and GSC standard operating procedures.
  • Hitachi Vantara recommends using an encryption program to securely transmit any confidential and personal data.
  • While Hitachi Vantara will review reports submitted through the GSC, weaknesses in existing customer installation due to their individual designs, third-party components, or compromised access credentials are not considered a vulnerability within Hitachi Vantara’s products.
  • For all entities without a customer relationship with Hitachi Vantara, you can report security vulnerabilities to Cybersecurity team here. (security.vulnerabilities@hitachivantara.com)

3.3. With the agreement of the reporting customers or third party, Hitachi Vantara must recognize the customer or third party with credit for the discovery of the vulnerability as part of the official Hitachi Vantara process. Hitachi Vantara does not have a “Bug Bounty” program in place. Therefore, Hitachi Vantara does recognize the vulnerability researchers through the vulnerability (CVE - Common Enumeration of Vulnerabilities) publication when applies, or a recognition letter for their contributions.

3.4. Hitachi Vantara’s product vulnerability handling generally consists of the following:

  • First response,
  • Initial triage,
  • Investigation and planning,
  • Remediation, and
  • Disclosure & notification.

While Hitachi Vantara makes all effort to timely remediate vulnerabilities posing a high risk for Hitachi Vantara, its customers, and third parties, remediation times may vary depending on vulnerability complexity or threat conditions. Assuming the reported information is not known publicly, it is the intention of the customer or third-party reporting a vulnerability and Hitachi Vantara do not release any related information until there is remediation.

4. Disclaimer

The information contained herein is subject to change at any time without notice. The statements in this policy do not modify, supersede, or otherwise amend any customer rights, obligations, or terms between Hitachi Vantara LLC and any other party. The use of the information or links included in this policy is done at your own risk.