Revision History
Revision Number
1.0
Revision History
Version 1.0 – September 19, 2023
Executive Summary
The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
Affected Products
| Affected Product | Affected Versions | Corrected in Software Version |
| Connected Components Workbench™ (CCW) | Versions Prior to R21 | R21 and later |
Vulnerability Details
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2020-16017 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a use after free vulnerability in Google Chrome versions before 86.0.4240.198. If exploited, a remote threat actor could potentially perform a sandbox escape via a crafted HTML page.
CVSS Base Score: 9.6/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: 416 – Use After Free
Known Exploited Vulnerability (KEV) database: Yes
CVE-2022-0609 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a use after free vulnerability in Animation within Google Chrome before 98.0.4758.102. This vulnerability could potentially allow a remote threat actor to exploit heap corruption via a crafted HTML page.
CVSS Base Score: 8.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 416 – Use After Free
Known Exploited Vulnerability (KEV) database: Yes
CVE-2020-16009 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains an inappropriate implementation in V8 of Google Chrome before 86.0.4240.18. This vulnerability allows a remote threat actor to potentially exploit heap corruption via a crafted HTML page.
CVSS Base Score: 8.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 787 Out-of-bounds Write & 843 Access of Resource Using Incompatible Type (‘Type Confusion”)
Known Exploited Vulnerability (KEV) database: Yes
CVE-2020-16013 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains an inappropriate implementation in V8 of Google Chrome before 86.0.4240.198. This vulnerability allows a remote threat actor to potentially exploit heap corruption via a crafted HTML page.
CVSS Base Score: 8.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 787 Out-of-bounds Write
Known Exploited Vulnerability (KEV) database: Yes
CVE-2020-15999
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a heap buffer overflow vulnerability in Freetype within Google Chrome before 86.0.4240.111. This vulnerability could allow a remote threat actor to potentially exploit heap corruption via a crafted HTML.
CVSS Base Score: 6.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 787 Out-of-bounds Write
Known Exploited Vulnerability (KEV) database: Yes
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Risk Mitigation & User Action
Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.
- Upgrade to version 21 or later.
- QA43240 - Recommended Security Guidelines from Rockwell Automation
