Published Date: 5/15/2025
Last updated: 5/15/2025
Revision Number: 1.0
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
First Known in software version |
Corrected in software version |
95057C-FTHTWXCT11 |
<= v4.02.00 |
v5.00.00 and later |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2018-1285
A vulnerability has been identified in the third-party Apache log4net software, impacting the FactoryTalk® Historian-ThingWorx Connector. This issue arises because versions of Apache log4net prior to 2.0.10 fail to disable XML external entities during the parsing of log4net configuration files. Consequently, a threat actor could exploit this to launch XX-based attacks on applications that accept malicious log4net configuration files.
CVSS 3.1 Base Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 9.3
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Known Exploited Vulnerability (KEV) database: no
Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Mitigations and Workarounds
Update to the corrected version if possible. Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.
ADDITIONAL RESOURCES
The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.
