Industrial

Security Information

PSIRT – Product Security Incident Response Team

The Softing PSIRT is a central team at Softing tasked with managing the investigation and disclosure of security vulnerabilities. All reports about possible vulnerabilities or other security incidents in connection with Softing products can be forwarded to the Softing PSIRT. The Softing PSIRT coordinates and maintains communication with everyone involved, both internally and externally, so that it can provide an appropriate response to any security problems that are identified.

Why should you report vulnerabilities?

Disclosing vulnerabilities enables us to fix these vulnerabilities and inform customers using the products in question about the fix. This approach can help us to keep making our products more secure and above all support Softing customers in managing security risks.

If you think you have uncovered a security vulnerability in a Softing product, please report it by email to .

Please include the following information with your report:

  • Contact information and availability
  • Affected product including model and version number
  • Classification of the vulnerability (buffer overflow, XSS, …)
  • Detailed description of the vulnerability (with verification if possible)
  • Effect of the vulnerability (if know)
  • Current level of awareness of the vulnerability (are there plans to disclose it or is there disclosure policy in place?)
  • (Company) affiliation of the reporter/finder (if reporter/finder is prepared to provide such information)
  • CVSS score (if known)

What will happen to your report?

The Softing PSIRT process is based on the FIRST framework and follows its four steps:
Discovery, Triage, Remediation, Disclosure.

Softing will ensure that the information is sent to a select group of designated Softing employees with experience in dealing with incidents of this type: the Softing Product Security Incident Response Team (PSIRT). Neither unauthorized employees nor external users will have access to the information you send.

In addition, Softing will ensure that the identity and contact details of the security expert are kept confidential and not published in any public statements (advisories and bulletins) unless explicitly requested by the security expert. The Softing PSIRT will investigate the reported vulnerability and contact you as soon as possible.

Stay up to date

The Softing PSIRT investigates all reports of security problems and publishes security advisories about validated security vulnerabilities that affect Softing products directly and require either a software update, software upgrade or another action by the customer. As part of ongoing efforts to support operators in addressing security risks and in ensuring the protected operation of systems, the Softing PSIRT publishes information that operators need to evaluate the ramifications of a security vulnerability.

Stay up to date with our security advisories

We publish information about vulnerabilities in Softing products and new or updated security advisories on our web pages.

Contact Softing PSIRT

Softing PSIRT public keys

Click here to download our PGP key

Fingerprint: 220C 4E9E 9A71 17BB C8E1 F863 0D5C 307C CACE DEDC

Languages: German or English
Transmission: preferably encrypted

Security Advisories
ID Title CVE CVSS Score Products Date Download
SYT-2024-1 Cross-site scripting vulnerability in TH SCOPE CVE-2023-37571 9.8 TH SCOPE 24.01.2024 HTML
JSON
ID Title CVE CVSS Score Products Date Download
SYT-2023-9 Multiple vulnerabilities in edgeConnector, edgeAggregator and Secure Integration Server CVE-2023-27335
CVE-2023-38125
CVE-2023-38126
6.6
7.2
7.2
edgeConnector
edgeAggregator
Secure Integration Server
01.12.2023 HTML
JSON
SYT-2023-8 Path Traversal vulnerability in edgeConnector, edgeAggregator and Secure Integration Server CVE-2023-39482 4.9 edgeConnector
edgeAggregator
Secure Integration Server

01.12.2023

HTML
JSON
SYT-2023-7 NULL pointer dereference vulnerability in edgeConnector, edgeAggregator and Secure Integration Server CVE-2023-27336 7.5 edgeConnector
edgeAggregator
Secure Integration Server
30.11.2023 HTML
JSON
SYT-2023-6 Relative path transversal vulnerability in Secure Integration Server CVE-2023-39481 7.2 Secure Integration Server 30.11.2023 HTML
JSON
SYT-2023-5 Improper access control vulnerability in OPC Suite CVE-2023-37572 5.6 OPC Suite 29.11.2023 HTML
JSON
SYT-2023-4 Improper input validation vulnerability in edgeConnector Siemens CVE-2023-6358 4.9 edgeConnector Siemens 28.11.2023 HTML
JSON
SYT-2023-3 Uncaught exception vulnerability in OPC UA C++ SDK, Secure Integration Server and OPC Suite CVE-2023-41151 7.5

OPC UA C++ SDK
OPC Suite
Secure Integration Server

07.11.2023

HTML
JSON

SYT-2023-2 Bypass of limitations and relative path transversal vulnerability in OPC UA C++ SDK and Secure Integration Server CVE-2023-29377
CVE-2023-29378
7.7 OPC UA C++ SDK
Secure Integration Server
05.06.2023 HTML
JSON
SYT-2023-1 Uncontrolled resource consumption vulnerability in OPC UA C++ SDK, edgeConnector, edgeAggregator and Secure Integration Server CVE-2023-27334 7.5 OPC UA C++ SDK
Secure Integration Server
edgeConnector
edgeAggregator
05.06.2023 HTML
JSON
ID Title CVE CVSS Score Products Date Download
SYT-2022-11 Multiple vulnerabilities in smartLink SW-HT CVE-2022-48192
CVE-2022-48193
7.2 smartLink SW-HT 29.12.2022 HTML
JSON
SYT-2022-10 Multiple vulnerabilities in uaToolkit Embedded and smartLink HW-DP CVE-2022-44018
CVE-2022-45920
7.5 uaToolkit Embedded
smartLink HW-DP
28.12.2022 HTML
JSON
SYT-2022-9 Improper input validation vulnerability in OPC UA C++ SDK, Secure Integration Server, edgeConnector, edgeAggregator, uaGate and OPC Suite CVE-2022-37453 7.5 OPC UA C++ SDK
Secure Integration Server
edgeConnector
edgeAggregato
uaGate
OPC Suite
14.10.2022 HTML
JSON
SYT-2022-8 Use after free vulnerability in OPC UA C++ SDK and OPC Suite CVE-2022-39823 7.5 OPC UA C++ SDK
OPC Suite
14.10.2022 HTML
JSON
SYT-2022-7 NULL pointer dereference vulnerability in OPC UA C++ SDK, Secure Integration Server, edgeConnector and edgeAggregator CVE-2022-1748 7.5 OPC UA C++ SDK
Secure Integration Server
edgeConnector
edgeAggregator
29.07.2022 HTML
JSON
SYT-2022-6 Default credentials authentication bypass vulnerability in Secure Integration Server, edgeConnector and edgeAggregator CVE-2022-2336 9.8 Secure Integration Server
edgeConnector
edgeAggregator
27.07.2022 HTML
JSON
SYT-2022-5 Remote code execution vulnerability in configuration restore functionality of Secure Integration Server CVE-2022-2334
CVE-2022-1373
CVE-2022-2338
7.2 Secure Integration Server 27.07.2022 HTML
JSON
SYT-2022-4 Multiple denial of service vulnerabilities in FastCGI interface of Secure Integration Server CVE-2022-1069
CVE-2022-2337
CVE-2022-2335
CVE-2022-2547
7.5 Secure Integration Server 27.07.2022 HTML
JSON
SYT-2022-3 Multiple vulnerabilities in the OPC UA .NET Standard SDK and the OPC UA .NET SDK CVE-2022-29862
CVE-2022-29863
CVE-2022-29864
CVE-2022-29865
7.5 OPC UA .NET Standard SDK
OPC UA .NET SDK
22.07.2022 HTML
JSON
SYT-2022-2 Vulnerabilities in the OpenSSL used in the OPC UA C++ SDK CVE-2022-0778 7.5 OPC UA C++ SDK 15.03.2022 HTML
JSON
SYT-2022-1 Multiple vulnerabilities in the OPC UA C++ SDK CVE-2021-42262
CVE-2021-42577
7.5 OPC UA C++ SDK
OPC Suite
Secure Integration Server
09.03.2022 HTML
JSON
Description Category CVE Date Product Fixed in Version
Possible memory corruption in BT controller Medium CVE-2021-35093 06.12.2021 mobiLink N. A.
CWE 20: Improper Input Validation High CVE-2021-40872 08.11.2021 uaToolkit Embedded
smartLink HW DP
1.40
planned for 1.19
CWE 415: Double Free High CVE-2021-40873 08.11.2021 uaToolkit Embedded
OPC UA C++ SDK
TH SCOPE
dataFEED OPC Suite
Secure Integration Server
edgeConnector
uaGates
1.40
5.66
N. A.
5.18
planned for 1.30
3.10
1.73
CWE 20: Improper Input Validation Medium CVE-2021-40871 08.11.2021 OPC UA C++ SDK
TH SCOPE
dataFEED OPC Suite
Secure Integration Server
5.66
N. A.
5.18
planned for 1.30
Improper Restriction of Operations within the Bounds of a Memory Buffer High CVE-2021-32994 17.06.2021 OPC UA C++ SDK 5.65
Endless recursion in XML Structures High CVE: 2021-27432 17.02.2021 OPC UA .NET Standard SDK
OPC UA .NET SDK
2.80
1.48
Privilege Elevation vulnerability medium CVE: 2020-29457 15.02.2021 OPC UA .NET Standard SDK 2.80
Description Category CVE Date Product Fixed in Version
HEAP-BASED BUFFER OVERFLOW High CVE-2020-14524 28.07.2020 OPC Classic SDK 4.47.1
UNCONTROLLED RESOURCE CONSUMPTION High CVE-2020-14522 28.07.2020 OPC Classic SDK 4.47.1
Servers do not create sufficiently random numbers High CVE-2019-19135 10.03.2020 .NET Standard SDK 2.40
Servers do not create sufficiently random numbers High CVE-2019-19135 10.03.2020 dataFEED C++ SDK 5.62
Description Category CVE Date Product Fixed in Version
Authenticated remote code execution possible High CVE-2019-15051 10.10.2019 uaGate SI
uaGate MB   
uaGate840D
edgeGate
1.72.00.1996
Sudo privilege escalation High CVE-2019-11526 10.10.2019 uaGate SI
uaGate MB
uaGate840D
edgeGate
1.71.00.1225
Another authenticated remote code execution High CVE-2019-11527 10.10.2019 uaGate SI
uaGate MB
uaGate840D
edgeGate
1.72.00.1996
Default unix user permissons High CVE-2019-11528 10.10.2019 uaGate SI
uaGate MB
uaGate840D
edgeGate
1.71.00.1225
Softing recommends always using the latest software/firmware version. These are in the Support and Downloads or the respective product page.

No representations are made as to the completeness or accuracy of the listing above. This information is provided without any guarantee or warranty of any kind, either explicit or tacit. We reserve the right to change or update the content of this website without notice at any time. The free update enables you to prevent or limit the consequences of damage resulting from security vulnerabilities. We cannot be held liable for any consequences arising from any omission in this regard. Security vulnerabilities cannot be removed in every case for products which have already reached their end-of-life cycle.

What does CVE mean?

It stands for Common Vulnerabilities and Exposures (CVE) and is an industry standard that aims to introduce a common naming convention for vulnerabilities and other security issues in computer systems. Multiple naming of the same threats by different companies and institutions is supplemented by a serial number (e.g. CVE-2006- 3086) to ensure clear identification of the vulnerability. This enables a smooth exchange of information between the various databases of individual manufacturers.

x

Softing Industrial Support

USA, Canada, Mexico
(865) 251-5244 (Knoxville, TN)
  
Callback

Germany HQ


«