Published Date: April, 16, 2024
Last updated: April 16, 2024
Revision Number: 1.0
CVSS Score: 9.8 /10
AFFECTED PRODUCTS AND SOLUTION
| Affected Product | First Known in Software Version | Corrected in Software Version | 
| FactoryTalk® Production Centre | 10.0 | 11.03.00 | 
VULNERABILITY DETAILS
Rockwell Automation used version 3.1 of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
CVE-2023-4664 IMPACT
Apache ActiveMQ, a component utilized in FactoryTalk Production Centre, is vulnerable to Remote Code Execution. The vulnerability may allow a remote threat actor with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol. This could cause the broker to instantiate any class on the classpath.
CVSS Base Score: 9.8
CVSS Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: 502 Deserialization of Untrusted Data
Known Exploited Vulnerability (KEV) database: Yes
Users can use Stakeholder-Specific Vulnerability Categorization to generate environment specific prioritization.
Mitigations and Workarounds
Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.
- · Update to the version that fixes the issue as detailed in this article.
- · Follow the security recommendations in PN1592 for FTPC.
- · Implement Security Best Practices
ADDITIONAL RESOURCES