{ "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "publisher": { "category": "vendor", "name": "Softing Industrial Automation GmbH", "namespace": "https://industrial.softing.com", "contact_details": "Softing PSIRT - contact us at psirt@softing.com" }, "title": "Multiple vulnerabilities in the OPC UA C++ SDK", "tracking": { "current_release_date": "2023-11-29T10:53:32.761Z", "id": "SYT-2022-1", "initial_release_date": "2022-03-09T11:00:00.000Z", "revision_history": [ { "date": "2022-03-09T11:00:00.000Z", "number": "1.0.0", "summary": "Initial version" }, { "date": "2022-07-22T10:00:00.000Z", "number": "2.0.0", "summary": "Fix in OPC Suite V5.20" }, { "number": "3.0.0", "summary": "Fix for Secure Integration Server", "date": "2023-11-29T10:53:32.761Z" } ], "status": "final", "version": "3.0.0", "generator": { "date": "2023-11-29T10:53:32.761Z", "engine": { "version": ".2.2.15", "name": "Secvisogram" } } }, "source_lang": "en-US", "aggregate_severity": { "text": "high" }, "notes": [ { "category": "legal_disclaimer", "text": "The information provided in this disclosure is provided \"as is\" without warranty of any kind.\nSofting disclaims all warranties, either express or implied, including the warranties of\nmerchantability and fitness for a particular purpose. In no event shall Softing or its suppliers be\nliable for any damages whatsoever including direct, indirect, incidental, consequential, loss of\nbusiness profits or special damages, even if Softing or its suppliers have been advised of the\npossibility of such damages.\nSome states do not allow the exclusion or limitation of liability for consequential or incidental\ndamages so the foregoing limitation may not apply.\n", "title": "Disclaimer" } ] }, "product_tree": { "full_product_names": [ { "product_id": "CSAFPID-0001", "name": "Softing OPC UA C++ SDK V5.66.1" }, { "product_id": "CSAFPID-0002", "name": "Softing OPC Suite V5.19" }, { "product_id": "CSAFPID-0003", "name": "Softing Secure Integration Server V1.22" }, { "product_id": "CSAFPID-0004", "name": "Softing OPC UA C++ SDK V5.70" }, { "product_id": "CSAFPID-0005", "name": "Softing OPC Suite V5.20" }, { "product_id": "CSAFPID-0006", "name": "Softing Secure Integration Server V1.30" } ] }, "vulnerabilities": [ { "scores": [ { "products": [ "CSAFPID-0001", "CSAFPID-0002", "CSAFPID-0003" ], "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH" } } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002", "CSAFPID-0003" ], "fixed": [ "CSAFPID-0004", "CSAFPID-0005", "CSAFPID-0006" ] }, "notes": [ { "category": "summary", "text": "An invalid XML element in the type dictionary makes the OPC/UA client crash due to an out-of-memory condition.\nThe client process may crash unexpectedly and must be restarted." } ], "discovery_date": "2022-03-09T11:00:00.000Z", "remediations": [ { "category": "workaround", "details": "Use a secure connection to avoid communication with untrusted servers.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002", "CSAFPID-0003" ] }, { "category": "mitigation", "details": "The attack depends on the client to establish a connection to an untrusted and possibly\ncompromised server.", "product_ids": [ "CSAFPID-0001", "CSAFPID-0002", "CSAFPID-0003" ] } ], "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "cve": "CVE-2021-42262" }, { "scores": [ { "products": [ "CSAFPID-0001", "CSAFPID-0002", "CSAFPID-0003" ], "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH" } } ], "product_status": { "known_affected": [ "CSAFPID-0001", "CSAFPID-0002", "CSAFPID-0003" ], "fixed": [ "CSAFPID-0004", "CSAFPID-0005", "CSAFPID-0006" ] }, "notes": [ { "category": "summary", "text": "A malformed OPC/UA message abort packet makes the client crash with a null pointer dereference.\nThe client process may crash unexpectedly and must be restarted." } ], "discovery_date": "2022-03-09T11:00:00.000Z", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "cve": "CVE-2021-42577" } ] }