Advisory ID:
PN1592
Fecha de publicación:
May 04, 2022
Última actualización:
May 04, 2022
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Resumen
Vulnerable Third-Party Components in FactoryTalk® ProductionCentre
Revision History
Revision History
Version 1.0 – May 4, 2022
Executive Summary
Rockwell Automation discovered multiple vulnerabilities affecting third-party software utilized by our FactoryTalk® ProductionCentre (FTPC) products. If exploited, these vulnerabilities could have various effects, including but not limited to, remote code execution, information disclosure, and denial of service on FTPC products.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including products in scope and recommended countermeasures, are provided herein.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including products in scope and recommended countermeasures, are provided herein.
Affected Products
FactoryTalk® ProductionCentre v10.04 and earlier
Vulnerability Details
As part of our commitment to security, Rockwell performs routine testing and vulnerability scanning to maintain the security posture of products. Due to open-source testing, we were made aware that third-party components utilized within our FTPC products contain vulnerabilities that range from low to high. The third-party components are listed below.
| Apache ActiveMQ Version 5.15.0 | Dom4J Version 1.61 |
| Apache Common BeanUtils Version 1.9.0 | Hibernate ORM Version 3.3.2 |
| Apache CXF Version 3.1.10 | Jackson Databind Version 2.1.4 |
| Apache Http Client Version 4.5.2 | JasperReports Library Version 6.2.0 |
| Apache Santuario (Java) 2.0.8 | Java Platform Standard Edition Version 8u181 |
| Apache Xalan Version (Java) 2.7.1 | JBoss Remoting Version 4.0.22.Final |
| Apache Xerces2J Version 2.11.0.SP5 | JGroups Version 2.12.2 Final |
| Bouncy Castle Version 1.36, 1.44, 1.55 | Spring Framework Versions 2.5.5, 4.3.8-4.3.9 |
| Cryptacular Version 1.51 | Undertow Core Versions 1.0.10.Final |
| Codehaus XFire Version 0.9.5.2 | Velocity.apache.org Version 1.7 |
Risk Mitigation & User Action
Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerabilities. We encourage customers to combine the risk mitigations with security best practices to deploy a defense-in-depth strategy.
- Apply security recommendations found in the FactoryTalk® ProductionCentre Knowledgebase Article IN39626 - Security Recommendations for FactoryTalk ProductionCentre to help minimize the risk of these third-party vulnerabilities.
- Deploy network segmentation, when possible, per our standard deployment recommendations.
General Security Guidelines
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also, recognize that a VPN is only as secure as the connected devices.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable the assessment, design, implementation, and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Additional Links
- PN1354 - Industrial Security Advisory Index
- Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
- Hardening Guidance (CIS Benchmarks)
Copyright ©2022 Rockwell Automation, Inc.