Loading

PN1592 | Vulnerable Third-Party Components in FactoryTalk® ProductionCentre

Advisory ID:
PN1592
Date de publication:
May 04, 2022
Date de la dernière mise à jour:
May 04, 2022
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
Non
Corrected:
Non
Workaround:
Non
Résumé
Vulnerable Third-Party Components in FactoryTalk® ProductionCentre

Revision History
Revision History
Version 1.0 – May 4, 2022

Executive Summary

Rockwell Automation discovered multiple vulnerabilities affecting third-party software utilized by our FactoryTalk® ProductionCentre (FTPC) products. If exploited, these vulnerabilities could have various effects, including but not limited to, remote code execution, information disclosure, and denial of service on FTPC products.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including products in scope and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk® ProductionCentre v10.04 and earlier

Vulnerability Details

As part of our commitment to security, Rockwell performs routine testing and vulnerability scanning to maintain the security posture of products. Due to open-source testing, we were made aware that third-party components utilized within our FTPC products contain vulnerabilities that range from low to high. The third-party components are listed below.
Apache ActiveMQ Version 5.15.0 Dom4J Version 1.61
Apache Common BeanUtils Version 1.9.0 Hibernate ORM Version 3.3.2
Apache CXF Version 3.1.10 Jackson Databind Version 2.1.4
Apache Http Client Version 4.5.2 JasperReports Library Version 6.2.0
Apache Santuario (Java) 2.0.8 Java Platform Standard Edition Version 8u181
Apache Xalan Version (Java) 2.7.1 JBoss Remoting Version 4.0.22.Final
Apache Xerces2J Version 2.11.0.SP5 JGroups Version 2.12.2 Final
Bouncy Castle Version 1.36, 1.44, 1.55 Spring Framework Versions 2.5.5, 4.3.8-4.3.9
Cryptacular Version 1.51 Undertow Core Versions 1.0.10.Final
Codehaus XFire Version 0.9.5.2 Velocity.apache.org Version 1.7

Risk Mitigation & User Action

Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerabilities. We encourage customers to combine the risk mitigations with security best practices to deploy a defense-in-depth strategy.
  • Apply security recommendations found in the FactoryTalk® ProductionCentre Knowledgebase Article IN39626 - Security Recommendations for FactoryTalk ProductionCentre to help minimize the risk of these third-party vulnerabilities.
  • Deploy network segmentation, when possible, per our standard deployment recommendations.

General Security Guidelines

  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also, recognize that a VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable the assessment, design, implementation, and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Additional Links

  • PN1354 - Industrial Security Advisory Index
  • Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
  • Hardening Guidance (CIS Benchmarks)
If you have questions regarding this notice, please send an email to our product security inbox at: PSIRT@rockwellautomation.com

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Accueil Rockwell Automation
  2. Chevron LeftChevron Left Trust Center
  3. Chevron LeftChevron Left Industrial Security Adv
  4. Chevron LeftChevron Left Industrial Security Advisory Detail
Veuillez mettre à jour vos préférences en matière de cookies pour continuer.
Cette fonctionnalité nécessite des cookies pour améliorer votre expérience. Veuillez mettre à jour vos préférences pour autoriser ces cookies:
  • Cookies de réseaux sociaux
  • Cookies fonctionnels
  • Cookies de performances
  • Cookies marketing
  • Tous les cookies
Vous pouvez mettre à jour vos préférences à tout moment. Pour plus d'informations, veuillez consulter notre {0} politique de confidentialité
CloseClose