What are the most severe vulnerabilities affecting Hitachi Energy Service Suite?

The most severe vulnerabilities include: CVE-2022-31813 (CVSS score 9.3) - a Use of Less Trusted Source vulnerability that may allow attackers to bypass IP-based authentication; CVE-2023-25690 (CVSS score 9.3) - an HTTP Request/Response Smuggling vulnerability in some mod_proxy configurations; and CVE-2022-36760 (CVSS score 9.2) - another HTTP Request/Response Smuggling vulnerability in mod_proxy_ajp that allows attackers to smuggle requests to the AJP server.

What types of attacks are possible through these vulnerabilities?

The vulnerabilities enable various types of attacks, including HTTP request smuggling, out-of-bounds read/write operations, information disclosure, memory allocation issues, resource consumption attacks (similar to 'slow loris'), and bypassing of IP-based authentication. These could potentially lead to system crashes, information disclosure, denial of service, or unauthorized access.

What versions of Apache HTTP Server are vulnerable?

The vulnerabilities affect various versions of Apache HTTP Server from 2.4.17 through 2.4.57, depending on the specific vulnerability. For example, CVE-2022-31813 and CVE-2022-36760 affect Apache HTTP Server 2.4.54 and prior, while CVE-2023-43622 affects versions 2.4.55 through 2.4.57.

How can users mitigate these vulnerabilities in Hitachi Energy Service Suite?

Hitachi Energy recommends that affected users update to Service Suite version 9.8.1.4. This update addresses the vulnerabilities described in Hitachi Energy cybersecurity advisory 8DBD000209.

What are some of the other significant vulnerabilities in the advisory?

Other significant vulnerabilities include: CVE-2022-28615 (CVSS score 8.8) - an Integer Overflow vulnerability that may cause crashes or information disclosure; CVE-2023-27522 (CVSS score 8.7) - an HTTP Request/Response Smuggling vulnerability involving special characters in origin response headers; CVE-2006-20001 (CVSS score 8.7) - an Out-of-bounds Write vulnerability involving crafted If: request headers; and CVE-2023-43622 (CVSS score 8.7) - a resource consumption vulnerability enabling attacks similar to 'slow loris'.

Are there any denial of service vulnerabilities included in the advisory?

Yes, several of the vulnerabilities could lead to denial of service conditions. For example, CVE-2022-29404 (CVSS score 8.7) involves Resource Allocation Without Limits, where malicious requests to Lua scripts may cause denial of service due to lack of default input size limits. Additionally, CVE-2023-43622 (CVSS score 8.7) allows HTTP/2 connections with initial window size of 0 to block connection handling indefinitely, enabling worker resource exhaustion similar to 'slow loris' attacks.

Advisory

Multiple critical vulnerabilities reported in Hitachi Energy Service Suite

published: May 14, 2025

Take action: If you are running Hitachi Energy Service Suite make sure running on systems isolated from the internet and accessible only from trusted networks. Then plan a regular patch cycle. Just don't ignore these flaws, plan and execute the patch.

Learn More

Hitachi Energy has released an advisory regarding multiple vulnerabilities - at least three critical - affecting their Service Suite product. These vulnerabilities, primarily associated with the Apache HTTP Server components included in the product, expose affected systems to a variety of remote attacks with low complexity requirements.

Vulnerabilities summary:

CVE-2022-31813 (CVSS score 9.3): Use of Less Trusted Source - Apache HTTP Server may not send X-Forwarded-* headers to the origin server due to client-side Connection header hop-by-hop mechanism, allowing attackers to bypass IP-based authentication.
CVE-2023-25690 (CVSS score 9.3): HTTP Request/Response Smuggling - Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow HTTP request smuggling attacks when mod_proxy is enabled with RewriteRule or ProxyPassMatch.
CVE-2022-36760 (CVSS score 9.2): HTTP Request/Response Smuggling - Vulnerability in mod_proxy_ajp allows attackers to smuggle requests to the AJP server in Apache HTTP Server 2.4.54 and prior.
CVE-2022-28615 (CVSS score 8.8): Integer Overflow or Wraparound - Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to read beyond bounds in ap_strcmp_match() when provided with extremely large input.
CVE-2023-27522 (CVSS score 8.7): HTTP Request/Response Smuggling - Special characters in origin response headers can truncate or split responses forwarded to clients in Apache HTTP Server 2.4.30 through 2.4.55.
CVE-2006-20001 (CVSS score 8.7): Out-of-bounds Write - Carefully crafted If: request headers can cause memory read/write of a single zero byte beyond header value, potentially crashing processes in Apache HTTP Server 2.4.54 and earlier.
CVE-2022-29404 (CVSS score 8.7): Resource Allocation Without Limits - Malicious requests to Lua scripts calling r:parsebody(0) may cause denial of service due to lack of default input size limits in Apache HTTP Server 2.4.53 and earlier.
CVE-2022-30556 (CVSS score 8.7): Exposure of Sensitive Information - Apache HTTP Server 2.4.53 and earlier may return lengths to applications calling r:wsread() that point past allocated buffer storage endpoints.
CVE-2022-30522 (CVSS score 8.7): Memory Allocation with Excessive Size Value - Apache HTTP Server 2.4.53 with mod_sed transformations may make excessively large memory allocations and trigger aborts when input is very large.
CVE-2022-26377 (CVSS score 8.7): HTTP Request/Response Smuggling - Vulnerability in mod_proxy_ajp allows request smuggling to AJP servers in Apache HTTP Server 2.4.53 and earlier.
CVE-2023-31122 (CVSS score 8.7): Out-of-bounds Read - Another HTTP request smuggling vulnerability in mod_proxy_ajp affecting Apache HTTP Server 2.4.53 and earlier.
CVE-2023-43622 (CVSS score 8.7): Uncontrolled Resource Consumption - HTTP/2 connections with initial window size of 0 can block connection handling indefinitely, enabling worker resource exhaustion similar to "slow loris" attacks in Apache HTTP Server 2.4.55 through 2.4.57.
CVE-2023-45802 (CVSS score 8.2): Improper Resource Shutdown - In HTTP/2 streams, reset requests' memory isn't immediately reclaimed, allowing memory consumption to grow until connections close in Apache HTTP Server 2.4.17 through 2.4.57.
CVE-2022-37436 (CVSS score 6.9): Improper Neutralization of CRLF Sequences - Malicious backends can cause response headers to be truncated early, incorporating security headers into response bodies in Apache HTTP Server versions prior to 2.4.55.
CVE-2022-28614 (CVSS score 6.9): Exposure of Sensitive Information - The ap_rwrite() function may read unintended memory if an attacker causes the server to reflect very large input in Apache HTTP Server 2.4.53 and earlier.
CVE-2022-28330 (CVSS score 6.9): Out-of-bounds Read - Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when processing requests with mod_isapi module.

The affected products include Hitachi Energy Service Suite versions 9.8.1.3 and prior. The vulnerabilities are primarily associated with the Apache HTTP Server component integrated into the Service Suite product, spanning multiple versions from 2.4.17 through 2.4.57 depending on the specific vulnerability.

Hitachi Energy recommends that affected users update to Service Suite version 9.8.1.4.

Multiple critical vulnerabilities reported in Hitachi Energy Service Suite

Read More
CISA and Ilevia Report Multiple Critical Vulnerabilities in …
CISA reports critical flaws in TEM Opera Plus …
Armis Labs reports multiple vulnerabilities in Copeland refrigeration …
Critical Authentication Bypass in Honeywell CCTV Products Allows …
Rockwell Automation ControlLogix 1756 devices are vulnerable to …