VDE-2021-041
Vulnerability from csaf_pepperlfuchsse - Published: 2021-10-26 13:35 - Updated: 2025-05-22 13:03Summary
Pepperl+Fuchs: Multiple DTM and VisuNet Software affected by log4net vulnerability
Notes
Summary: Critical vulnerabilities have been discovered in the utilized component log4net by Apache Software Foundation.
UPDATE A: Remediation: added fixed VisuNet Products
Mitigation: External countermeasures are needed for the remaining products.
The following protective measure is required for VisuNet devices and the PCs/Servers with an installed DTM: \
Restrict local access to the device, PC/Server and use user authentication to prevent unauthorized access.
Remediation: The following affected DTM products can be updated to the listed version:
| Item | Version |
|--------------------------------------------|----------------|
| FieldConnex DTM Collection | 1.7.1.2159 |
| Diagnostic Manager | 2.2.3.3527 |
| FieldConnex Diagnostic Gateway FF DTM | 2.2.3.3527 |
| FDH-1 Manager | 1.0.2.1049 |
| ABB Project Builder | 1.1.2.1134 |
| Honeywell Integration Package | 1.1.3.0 |
| Emerson Integration Package [ADM Project Builder Emerson] | 1.1.4.1474 |
| Emerson Integration Package [AMS Alert Adapter] | 1.1.3.72 |
| DTM Collection HART-Multiplexer | 2.0.1.208 |
**UPDATE A**
The following affected VisuNet products can be updated to the listed version:
| Item | Version |
|------------------------------------------|---------------|
| VisuNet RM Shell 5 (2016 LTSB) | 5.5.1.1200 |
| VisuNet RM Shell 5 (2019 LTSC) | 5.6.0.1383 |
| VisuNet Factory Reset | 6.1.1.262 |
| VisuNet Control Center | 4.8.0.1596 |
| VisuNet GXP PC Service Tool | 1.1.1 |
END UPDATE A
Impact: Pepperl+Fuchs analyzed and identified affected devices.
In table 'Affected products' packages are listed next to some products, this means that the products are only affected if the corresponding software is installed since the package implements the vulnerability.
To exploit the vulnerability, the access rights of an authorized user or admin are required.
The impact of the vulnerability on the affected products may result in
- Denial of Service
- Loss of Credentials
- Code Execution
The CVSS environmental score is specific to the customer's environment and should therefore be individually assessed by the customer to accomplish final scoring.
Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.
9.8 (Critical)
Mitigation
External countermeasures are needed for the remaining products.
The following protective measure is required for VisuNet devices and the PCs/Servers with an installed DTM:
Restrict local access to the device, PC/Server and use user authentication to prevent unauthorized access.
Vendor Fix
The following affected DTM products can be updated to the listed version:
| Item | Version |
|--------------------------------------------|----------------|
| FieldConnex DTM Collection | 1.7.1.2159 |
| Diagnostic Manager | 2.2.3.3527 |
| FieldConnex Diagnostic Gateway FF DTM | 2.2.3.3527 |
| FDH-1 Manager | 1.0.2.1049 |
| ABB Project Builder | 1.1.2.1134 |
| Honeywell Integration Package | 1.1.3.0 |
| Emerson Integration Package [ADM Project Builder Emerson] | 1.1.4.1474 |
| Emerson Integration Package [AMS Alert Adapter] | 1.1.3.72 |
| DTM Collection HART-Multiplexer | 2.0.1.208 |
UPDATE A
The following affected VisuNet products can be updated to the listed version:
| Item | Version |
|------------------------------------------|---------------|
| VisuNet RM Shell 5 (2016 LTSB) | 5.5.1.1200 |
| VisuNet RM Shell 5 (2019 LTSC) | 5.6.0.1383 |
| VisuNet Factory Reset | 6.1.1.262 |
| VisuNet Control Center | 4.8.0.1596 |
| VisuNet GXP PC Service Tool | 1.1.1 |
END UPDATE A
Affected products
Known affected
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
ABB Project Builder <=1.1.1.1122
Pepperl+Fuchs / Software / ABB Project Builder
|
<=1.1.1.1122 | ||
|
ADM Project Builder Emerson in Emerson Integration Package <=1.1.3.1463
Pepperl+Fuchs / Software / ADM Project Builder Emerson in Emerson Integration Package
|
<=1.1.3.1463 | ||
|
All contained DTMs in Diagnostic Manager 2.0.0.1177<=2.2.2.3478
Pepperl+Fuchs / Software / All contained DTMs in Diagnostic Manager
|
2.0.0.1177<=2.2.2.3478 | ||
|
All contained DTMs in DTM Collection HART-Multiplexer <=2.0.0.130
Pepperl+Fuchs / Software / All contained DTMs in DTM Collection HART-Multiplexer
|
<=2.0.0.130 | ||
|
All contained DTMs in DTM Collection Level Control Technology used with Level Radar LCR20, LTC50, LTC51, LRC57 <=1.0.31
Pepperl+Fuchs / Software / All contained DTMs in DTM Collection Level Control Technology used with Level Radar LCR20, LTC50, LTC51, LRC57
|
<=1.0.31 | ||
|
All contained DTMs in DTM Collection WirelessHART <=1.0.2.4
Pepperl+Fuchs / Software / All contained DTMs in DTM Collection WirelessHART
|
<=1.0.2.4 | ||
|
All contained DTMs in DTM Library HART used with 6500 Series <=2.4.11.59
Pepperl+Fuchs / Software / All contained DTMs in DTM Library HART used with 6500 Series
|
<=2.4.11.59 | ||
|
All contained DTMs in FieldConnex Diagnostic Gateway FF DTM <=2.2.2.3478
Pepperl+Fuchs / Software / All contained DTMs in FieldConnex Diagnostic Gateway FF DTM
|
<=2.2.2.3478 | ||
|
All contained DTMs in HART DTM Library Enhanced used with PS3500-DM <=2.4.11.59
Pepperl+Fuchs / Software / All contained DTMs in HART DTM Library Enhanced used with PS3500-DM
|
<=2.4.11.59 | ||
|
All contained DTMs in TMI-FF DTM <=2.6.3.10
Pepperl+Fuchs / Software / All contained DTMs in TMI-FF DTM
|
<=2.6.3.10 | ||
|
AMS Alert Adapter in Emerson Integration Package <=1.1.3.1463
Pepperl+Fuchs / Software / AMS Alert Adapter in Emerson Integration Package
|
<=1.1.3.1463 | ||
|
FDH-1 Manager <=1.0.1.1022
Pepperl+Fuchs / Software / FDH-1 Manager
|
<=1.0.1.1022 | ||
|
P+F DTMLibrary Modbus in DTM used with S1SD-1TI-1U V2.3.68
Pepperl+Fuchs / Software / P+F DTMLibrary Modbus in DTM used with S1SD-1TI-1U
|
V2.3.68 | ||
|
VisuNet Control Center <=4.7.1
Pepperl+Fuchs / Software / VisuNet Control Center
|
<=4.7.1 | ||
|
VisuNet Factory Reset 5.x
Pepperl+Fuchs / Software / VisuNet Factory Reset
|
5.x | ||
|
VisuNet Factory Reset <=6.1.0
Pepperl+Fuchs / Software / VisuNet Factory Reset
|
<=6.1.0 | ||
|
VisuNet GXP PC Service Tool <=1.1.0
Pepperl+Fuchs / Software / VisuNet GXP PC Service Tool
|
<=1.1.0 | ||
|
VisuNet RM Shell <=5.5.0
Pepperl+Fuchs / Software / VisuNet RM Shell
|
<=5.5.0 |
Fixed
18 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
ABB Project Builder 1.1.2.1134
Pepperl+Fuchs / Software / ABB Project Builder
|
1.1.2.1134 | ||
|
ADM Project Builder Emerson in Emerson Integration Package 1.1.4.1474
Pepperl+Fuchs / Software / ADM Project Builder Emerson in Emerson Integration Package
|
1.1.4.1474 | ||
|
All contained DTMs in Diagnostic Manager 2.2.3.3527
Pepperl+Fuchs / Software / All contained DTMs in Diagnostic Manager
|
2.2.3.3527 | ||
|
All contained DTMs in DTM Collection HART-Multiplexer 2.0.1.208
Pepperl+Fuchs / Software / All contained DTMs in DTM Collection HART-Multiplexer
|
2.0.1.208 | ||
|
All contained DTMs in DTM Collection Level Control Technology used with Level Radar LCR20, LTC50, LTC51, LRC57 2.0.1.208
Pepperl+Fuchs / Software / All contained DTMs in DTM Collection Level Control Technology used with Level Radar LCR20, LTC50, LTC51, LRC57
|
2.0.1.208 | ||
|
All contained DTMs in DTM Collection WirelessHART 2.0.1.208
Pepperl+Fuchs / Software / All contained DTMs in DTM Collection WirelessHART
|
2.0.1.208 | ||
|
All contained DTMs in DTM Library HART used with 6500 Series 2.0.1.208
Pepperl+Fuchs / Software / All contained DTMs in DTM Library HART used with 6500 Series
|
2.0.1.208 | ||
|
All contained DTMs in FieldConnex Diagnostic Gateway FF DTM 2.2.3.3527
Pepperl+Fuchs / Software / All contained DTMs in FieldConnex Diagnostic Gateway FF DTM
|
2.2.3.3527 | ||
|
All contained DTMs in HART DTM Library Enhanced used with PS3500-DM 2.0.1.208
Pepperl+Fuchs / Software / All contained DTMs in HART DTM Library Enhanced used with PS3500-DM
|
2.0.1.208 | ||
|
All contained DTMs in TMI-FF DTM 2.0.1.208
Pepperl+Fuchs / Software / All contained DTMs in TMI-FF DTM
|
2.0.1.208 | ||
|
AMS Alert Adapter in Emerson Integration Package 1.1.3.72
Pepperl+Fuchs / Software / AMS Alert Adapter in Emerson Integration Package
|
1.1.3.72 | ||
|
FDH-1 Manager 1.0.2.1049
Pepperl+Fuchs / Software / FDH-1 Manager
|
1.0.2.1049 | ||
|
VisuNet Control Center 4.8.0.1596
Pepperl+Fuchs / Software / VisuNet Control Center
|
4.8.0.1596 | ||
|
VisuNet Factory Reset 6.1.1.262
Pepperl+Fuchs / Software / VisuNet Factory Reset
|
6.1.1.262 | ||
|
VisuNet Factory Reset 6.1.1.262
Pepperl+Fuchs / Software / VisuNet Factory Reset
|
6.1.1.262 | ||
|
VisuNet GXP PC Service Tool 1.1.1
Pepperl+Fuchs / Software / VisuNet GXP PC Service Tool
|
1.1.1 | ||
|
VisuNet RM Shell 5.5.1.1200
Pepperl+Fuchs / Software / VisuNet RM Shell
|
5.5.1.1200 | ||
|
VisuNet RM Shell 5.6.0.1383
Pepperl+Fuchs / Software / VisuNet RM Shell
|
5.6.0.1383 |
References
3 references
Acknowledgments
CERT@VDE
certvde.com
CodeWrights GmbH
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
},
{
"organization": "CodeWrights GmbH",
"summary": "reported"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "Critical vulnerabilities have been discovered in the utilized component log4net by Apache Software Foundation.\n\nUPDATE A: Remediation: added fixed VisuNet Products ",
"title": "Summary"
},
{
"category": "description",
"text": "External countermeasures are needed for the remaining products.\nThe following protective measure is required for VisuNet devices and the PCs/Servers with an installed DTM: \\\nRestrict local access to the device, PC/Server and use user authentication to prevent unauthorized access.",
"title": "Mitigation"
},
{
"category": "description",
"text": "The following affected DTM products can be updated to the listed version:\n\n| Item | Version |\n|--------------------------------------------|----------------|\n| FieldConnex DTM Collection | 1.7.1.2159 |\n| Diagnostic Manager | 2.2.3.3527 |\n| FieldConnex Diagnostic Gateway FF DTM | 2.2.3.3527 |\n| FDH-1 Manager | 1.0.2.1049 |\n| ABB Project Builder | 1.1.2.1134 |\n| Honeywell Integration Package | 1.1.3.0 |\n| Emerson Integration Package [ADM Project Builder Emerson] | 1.1.4.1474 |\n| Emerson Integration Package [AMS Alert Adapter] | 1.1.3.72 |\n| DTM Collection HART-Multiplexer | 2.0.1.208 |\n\n**UPDATE A**\n\nThe following affected VisuNet products can be updated to the listed version:\n\n| Item | Version |\n|------------------------------------------|---------------|\n| VisuNet RM Shell 5 (2016 LTSB) | 5.5.1.1200 |\n| VisuNet RM Shell 5 (2019 LTSC) | 5.6.0.1383 |\n| VisuNet Factory Reset | 6.1.1.262 |\n| VisuNet Control Center | 4.8.0.1596 |\n| VisuNet GXP PC Service Tool | 1.1.1 |\n\nEND UPDATE A\n",
"title": "Remediation"
},
{
"category": "description",
"text": "Pepperl+Fuchs analyzed and identified affected devices.\nIn table \u0027Affected products\u0027 packages are listed next to some products, this means that the products are only affected if the corresponding software is installed since the package implements the vulnerability.\n\nTo exploit the vulnerability, the access rights of an authorized user or admin are required. \n\nThe impact of the vulnerability on the affected products may result in\n\n- Denial of Service\n- Loss of Credentials\n- Code Execution\n\nThe CVSS environmental score is specific to the customer\u0027s environment and should therefore be individually assessed by the customer to accomplish final scoring.",
"title": "Impact"
}
],
"publisher": {
"category": "vendor",
"contact_details": "cert@pepperl-fuchs.com",
"name": "Pepperl+Fuchs SE",
"namespace": "https://www.pepperl-fuchs.com"
},
"references": [
{
"category": "external",
"summary": "Pepperl+Fuchs advisory overview at CERT@VDE",
"url": "https://certvde.com/de/advisories/vendor/pepperl+fuchs/"
},
{
"category": "self",
"summary": "VDE-2021-041: Pepperl+Fuchs: Multiple DTM and VisuNet Software affected by log4net vulnerability - HTML",
"url": "https://certvde.com/en/advisories/VDE-2021-041"
},
{
"category": "self",
"summary": "VDE-2021-041: Pepperl+Fuchs: Multiple DTM and VisuNet Software affected by log4net vulnerability - CSAF",
"url": "https://pepperl-fuchs.csaf-tp.certvde.com/.well-known/csaf/white/2021/vde-2021-041.json"
}
],
"title": "Pepperl+Fuchs: Multiple DTM and VisuNet Software affected by log4net vulnerability",
"tracking": {
"aliases": [
"VDE-2021-041"
],
"current_release_date": "2025-05-22T13:03:10.000Z",
"generator": {
"date": "2025-03-11T15:55:39.163Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.20"
}
},
"id": "VDE-2021-041",
"initial_release_date": "2021-10-26T13:35:00.000Z",
"revision_history": [
{
"date": "2021-10-26T13:35:00.000Z",
"number": "1",
"summary": "Initial revision."
},
{
"date": "2022-01-17T15:16:00.000Z",
"number": "2",
"summary": "UPDATE A: add list of affected VisuNet products"
},
{
"date": "2025-05-22T13:03:10.000Z",
"number": "3",
"summary": "Fix: firmware category, quotation mark"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=1.1.1.1122",
"product": {
"name": "ABB Project Builder \u003c=1.1.1.1122",
"product_id": "CSAFPID-51001"
}
},
{
"category": "product_version",
"name": "1.1.2.1134",
"product": {
"name": "ABB Project Builder 1.1.2.1134",
"product_id": "CSAFPID-52001"
}
}
],
"category": "product_name",
"name": "ABB Project Builder"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=1.1.3.1463",
"product": {
"name": "ADM Project Builder Emerson in Emerson Integration Package \u003c=1.1.3.1463",
"product_id": "CSAFPID-51002"
}
},
{
"category": "product_version",
"name": "1.1.4.1474",
"product": {
"name": "ADM Project Builder Emerson in Emerson Integration Package 1.1.4.1474",
"product_id": "CSAFPID-52002"
}
}
],
"category": "product_name",
"name": "ADM Project Builder Emerson in Emerson Integration Package"
},
{
"branches": [
{
"category": "product_version_range",
"name": "2.0.0.1177\u003c=2.2.2.3478",
"product": {
"name": "All contained DTMs in Diagnostic Manager 2.0.0.1177\u003c=2.2.2.3478",
"product_id": "CSAFPID-51003"
}
},
{
"category": "product_version",
"name": "2.2.3.3527",
"product": {
"name": "All contained DTMs in Diagnostic Manager 2.2.3.3527",
"product_id": "CSAFPID-52003"
}
}
],
"category": "product_name",
"name": "All contained DTMs in Diagnostic Manager"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=2.0.0.130",
"product": {
"name": "All contained DTMs in DTM Collection HART-Multiplexer \u003c=2.0.0.130",
"product_id": "CSAFPID-51004"
}
},
{
"category": "product_version",
"name": "2.0.1.208",
"product": {
"name": "All contained DTMs in DTM Collection HART-Multiplexer 2.0.1.208",
"product_id": "CSAFPID-52004"
}
}
],
"category": "product_name",
"name": "All contained DTMs in DTM Collection HART-Multiplexer"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=1.0.31",
"product": {
"name": "All contained DTMs in DTM Collection Level Control Technology used with Level Radar LCR20, LTC50, LTC51, LRC57 \u003c=1.0.31",
"product_id": "CSAFPID-51005"
}
},
{
"category": "product_version",
"name": "2.0.1.208",
"product": {
"name": "All contained DTMs in DTM Collection Level Control Technology used with Level Radar LCR20, LTC50, LTC51, LRC57 2.0.1.208",
"product_id": "CSAFPID-52005"
}
}
],
"category": "product_name",
"name": "All contained DTMs in DTM Collection Level Control Technology used with Level Radar LCR20, LTC50, LTC51, LRC57"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=1.0.2.4",
"product": {
"name": "All contained DTMs in DTM Collection WirelessHART \u003c=1.0.2.4",
"product_id": "CSAFPID-51006"
}
},
{
"category": "product_version",
"name": "2.0.1.208",
"product": {
"name": "All contained DTMs in DTM Collection WirelessHART 2.0.1.208",
"product_id": "CSAFPID-52006"
}
}
],
"category": "product_name",
"name": "All contained DTMs in DTM Collection WirelessHART"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=2.4.11.59",
"product": {
"name": "All contained DTMs in DTM Library HART used with 6500 Series \u003c=2.4.11.59",
"product_id": "CSAFPID-51007"
}
},
{
"category": "product_version",
"name": "2.0.1.208",
"product": {
"name": "All contained DTMs in DTM Library HART used with 6500 Series 2.0.1.208",
"product_id": "CSAFPID-52007"
}
}
],
"category": "product_name",
"name": "All contained DTMs in DTM Library HART used with 6500 Series"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=2.2.2.3478",
"product": {
"name": "All contained DTMs in FieldConnex Diagnostic Gateway FF DTM \u003c=2.2.2.3478",
"product_id": "CSAFPID-51008"
}
},
{
"category": "product_version",
"name": "2.2.3.3527",
"product": {
"name": "All contained DTMs in FieldConnex Diagnostic Gateway FF DTM 2.2.3.3527",
"product_id": "CSAFPID-52008"
}
}
],
"category": "product_name",
"name": "All contained DTMs in FieldConnex Diagnostic Gateway FF DTM"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=2.4.11.59",
"product": {
"name": "All contained DTMs in HART DTM Library Enhanced used with PS3500-DM \u003c=2.4.11.59",
"product_id": "CSAFPID-51009"
}
},
{
"category": "product_version",
"name": "2.0.1.208",
"product": {
"name": "All contained DTMs in HART DTM Library Enhanced used with PS3500-DM 2.0.1.208",
"product_id": "CSAFPID-52009"
}
}
],
"category": "product_name",
"name": "All contained DTMs in HART DTM Library Enhanced used with PS3500-DM"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=2.6.3.10",
"product": {
"name": "All contained DTMs in TMI-FF DTM \u003c=2.6.3.10",
"product_id": "CSAFPID-51010"
}
},
{
"category": "product_version",
"name": "2.0.1.208",
"product": {
"name": "All contained DTMs in TMI-FF DTM 2.0.1.208",
"product_id": "CSAFPID-52010"
}
}
],
"category": "product_name",
"name": "All contained DTMs in TMI-FF DTM"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=1.1.3.1463",
"product": {
"name": "AMS Alert Adapter in Emerson Integration Package \u003c=1.1.3.1463",
"product_id": "CSAFPID-51011"
}
},
{
"category": "product_version",
"name": "1.1.3.72",
"product": {
"name": "AMS Alert Adapter in Emerson Integration Package 1.1.3.72",
"product_id": "CSAFPID-52011"
}
}
],
"category": "product_name",
"name": "AMS Alert Adapter in Emerson Integration Package"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=1.0.1.1022",
"product": {
"name": "FDH-1 Manager \u003c=1.0.1.1022",
"product_id": "CSAFPID-51012"
}
},
{
"category": "product_version",
"name": "1.0.2.1049",
"product": {
"name": "FDH-1 Manager 1.0.2.1049",
"product_id": "CSAFPID-52012"
}
}
],
"category": "product_name",
"name": "FDH-1 Manager"
},
{
"branches": [
{
"category": "product_version",
"name": "V2.3.68",
"product": {
"name": "P+F DTMLibrary Modbus in DTM used with S1SD-1TI-1U V2.3.68",
"product_id": "CSAFPID-51013"
}
}
],
"category": "product_name",
"name": "P+F DTMLibrary Modbus in DTM used with S1SD-1TI-1U"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=4.7.1",
"product": {
"name": "VisuNet Control Center \u003c=4.7.1",
"product_id": "CSAFPID-51014"
}
},
{
"category": "product_version",
"name": "4.8.0.1596",
"product": {
"name": "VisuNet Control Center 4.8.0.1596",
"product_id": "CSAFPID-52013"
}
}
],
"category": "product_name",
"name": "VisuNet Control Center"
},
{
"branches": [
{
"category": "product_version",
"name": "5.x",
"product": {
"name": "VisuNet Factory Reset 5.x",
"product_id": "CSAFPID-51015"
}
},
{
"category": "product_version",
"name": "6.1.1.262",
"product": {
"name": "VisuNet Factory Reset 6.1.1.262",
"product_id": "CSAFPID-52014"
}
}
],
"category": "product_name",
"name": "VisuNet Factory Reset"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=6.1.0",
"product": {
"name": "VisuNet Factory Reset \u003c=6.1.0",
"product_id": "CSAFPID-51016"
}
},
{
"category": "product_version",
"name": "6.1.1.262",
"product": {
"name": "VisuNet Factory Reset 6.1.1.262",
"product_id": "CSAFPID-52015"
}
}
],
"category": "product_name",
"name": "VisuNet Factory Reset"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=1.1.0",
"product": {
"name": "VisuNet GXP PC Service Tool \u003c=1.1.0",
"product_id": "CSAFPID-51017"
}
},
{
"category": "product_version",
"name": "1.1.1",
"product": {
"name": "VisuNet GXP PC Service Tool 1.1.1",
"product_id": "CSAFPID-52016"
}
}
],
"category": "product_name",
"name": "VisuNet GXP PC Service Tool"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=5.5.0",
"product": {
"name": "VisuNet RM Shell \u003c=5.5.0",
"product_id": "CSAFPID-51018"
}
},
{
"category": "product_version",
"name": "5.5.1.1200",
"product": {
"name": "VisuNet RM Shell 5.5.1.1200",
"product_id": "CSAFPID-52017"
}
},
{
"category": "product_version",
"name": "5.6.0.1383",
"product": {
"name": "VisuNet RM Shell 5.6.0.1383",
"product_id": "CSAFPID-52018"
}
}
],
"category": "product_name",
"name": "VisuNet RM Shell"
}
],
"category": "product_family",
"name": "Software"
}
],
"category": "vendor",
"name": "Pepperl+Fuchs"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008",
"CSAFPID-51009",
"CSAFPID-51010",
"CSAFPID-51011",
"CSAFPID-51012",
"CSAFPID-51013",
"CSAFPID-51014",
"CSAFPID-51015",
"CSAFPID-51016",
"CSAFPID-51017",
"CSAFPID-51018"
],
"summary": "Affected Products."
},
{
"group_id": "CSAFGID-0002",
"product_ids": [
"CSAFPID-52001",
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52004",
"CSAFPID-52005",
"CSAFPID-52006",
"CSAFPID-52007",
"CSAFPID-52008",
"CSAFPID-52009",
"CSAFPID-52010",
"CSAFPID-52011",
"CSAFPID-52012",
"CSAFPID-52013",
"CSAFPID-52014",
"CSAFPID-52015",
"CSAFPID-52016",
"CSAFPID-52017",
"CSAFPID-52018"
],
"summary": "Fixed Products."
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-1285",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"notes": [
{
"category": "description",
"text": "Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.",
"title": "Vulnerability Description"
}
],
"product_status": {
"fixed": [
"CSAFPID-52001",
"CSAFPID-52002",
"CSAFPID-52003",
"CSAFPID-52004",
"CSAFPID-52005",
"CSAFPID-52006",
"CSAFPID-52007",
"CSAFPID-52008",
"CSAFPID-52009",
"CSAFPID-52010",
"CSAFPID-52011",
"CSAFPID-52012",
"CSAFPID-52013",
"CSAFPID-52014",
"CSAFPID-52015",
"CSAFPID-52016",
"CSAFPID-52017",
"CSAFPID-52018"
],
"known_affected": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008",
"CSAFPID-51009",
"CSAFPID-51010",
"CSAFPID-51011",
"CSAFPID-51012",
"CSAFPID-51013",
"CSAFPID-51014",
"CSAFPID-51015",
"CSAFPID-51016",
"CSAFPID-51017",
"CSAFPID-51018"
]
},
"remediations": [
{
"category": "mitigation",
"details": "External countermeasures are needed for the remaining products.\nThe following protective measure is required for VisuNet devices and the PCs/Servers with an installed DTM:\n\nRestrict local access to the device, PC/Server and use user authentication to prevent unauthorized access.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "The following affected DTM products can be updated to the listed version:\n\n| Item | Version |\n|--------------------------------------------|----------------|\n| FieldConnex DTM Collection | 1.7.1.2159 |\n| Diagnostic Manager | 2.2.3.3527 |\n| FieldConnex Diagnostic Gateway FF DTM | 2.2.3.3527 |\n| FDH-1 Manager | 1.0.2.1049 |\n| ABB Project Builder | 1.1.2.1134 |\n| Honeywell Integration Package | 1.1.3.0 |\n| Emerson Integration Package [ADM Project Builder Emerson] | 1.1.4.1474 |\n| Emerson Integration Package [AMS Alert Adapter] | 1.1.3.72 |\n| DTM Collection HART-Multiplexer | 2.0.1.208 |\n\nUPDATE A\n\nThe following affected VisuNet products can be updated to the listed version:\n\n| Item | Version |\n|------------------------------------------|---------------|\n| VisuNet RM Shell 5 (2016 LTSB) | 5.5.1.1200 |\n| VisuNet RM Shell 5 (2019 LTSC) | 5.6.0.1383 |\n| VisuNet Factory Reset | 6.1.1.262 |\n| VisuNet Control Center | 4.8.0.1596 |\n| VisuNet GXP PC Service Tool | 1.1.1 |\n\nEND UPDATE A",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-51001",
"CSAFPID-51002",
"CSAFPID-51003",
"CSAFPID-51004",
"CSAFPID-51005",
"CSAFPID-51006",
"CSAFPID-51007",
"CSAFPID-51008",
"CSAFPID-51009",
"CSAFPID-51010",
"CSAFPID-51011",
"CSAFPID-51012",
"CSAFPID-51013",
"CSAFPID-51014",
"CSAFPID-51015",
"CSAFPID-51016",
"CSAFPID-51017",
"CSAFPID-51018"
]
}
],
"title": "CVE-2018-1285"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…