Overview:
Johnson Controls has confirmed a vulnerability impacting Exacq Technologies exacqVision. The exacqVision Server is also included in the exacqVision Server Bundle along with the exacqVision Client and exacqVision Web Service. Under certain circumstances an integer overflow condition could exist in the exacqVision Server.
Impact:
An unauthenticated remote user could exploit a potential integer overflow condition in the exacqVision Server with a specially crafted script and cause Denial of Service (DoS).
Affected Versions:
exacqVision Server 32‐bit version 21.06.11.0 or older.
Mitigation:
- Upgrade exacqVision Server 32‐bit to version 21.09 or Upgrade to exacqVision Server 64‐bit.
- Current users can obtain the critical software update from the Software Downloads location at: https://www.exacq.com/support/downloads.php
Resources:
- JCI Cyber Solutions Product Security Advisories Website JCI‐PSA‐2021‐18 https://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2021/jci-psa-2021-18.pdf?la=en&hash=D5577A925D77BDFA025AAB3708AACC1A0B62AF67
- Common Vulnerabilities & Exposures (CVE) CVE‐2021‐27665 – National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) https://nvd.nist.gov/vuln/detail/CVE-2021-27665 (RESERVED but not posted yet) or MITRE CVE® List https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27665 (RESERVED but not posted yet)
- Cybersecurity & Infrastructure Security Agency (CISA) Industrial Control Systems (ICS) Advisories ICSA‐21‐280‐03 https://us-cert.cisa.gov/ics/advisories/icsa-21-280-03