Tag: Security Advisory

Categories
Knowledge Support Technical Advisory Bulletins exacqVision EDGE Support exacqVision Enterprise Other exacqVision Client exacqVision Server exacqVision Mobile exacqVision Webservice exacqVision Hardware Products exacqVision Integrations

Support procedure for reporting newly discovered cyber security vulnerabilities in Exacq Software 

This document will outline the procedures expected from Exacq Support staff in the event of discovering a previously unreported security vulnerability in an exacqVision product.

Product 

Any exacqVision product

Procedure:

  1. Verify the vulnerability has not already been properly reported at: https://www.johnsoncontrols.com/cyber-solutions/security-advisories
  2. Email the GPS (Global Product Security) team at: productsecurity@jci.com
    • Provide vulnerability analysis in this email and any relevant links
    • Provide customer details and contact information in this email
    • Provide software product and software versions in this email
    • CC the customer on the email
  3. Inform the customer you have notified the appropriate team (GPS) and will be closing the Support ticket.

Our Global Product Security team will then be responsible for following up with this customer and resolving vulnerability.

<br>

Categories
Knowledge Support Support exacqVision Server exacqVision Webservice Categories Products

Updating exacqVision S-Series in Response to Heartbleed Threat

In April 2014 a Security Advisory was issued by the OpenSSL project notifying the public of a serious vulnerability in the encryption software used by a large number of companies. (For detailed information, visit http://heartbleed.com/.) Exacq Technologies took immediate action to assess how its products might be affected by this vulnerability.

<br>


The exacqVision S-Series uses Ubuntu 12.04 with the version of OpenSSL that could be affected. However, the vulnerability exists only if you have installed the exacqVision Web Service on your S-Series system and you are using SSL connections on the exacqVision web server, which is not the default configuration. If you have manually set up that configuration, complete the following procedure to ensure you do not have any issues. (If you are not using SSL in the web server, this procedure is optional.

<br>

Affected Versions

All exacqVision S-Series Servers manufactured before Apr 10, 2014 (including S-Series Version A, S-Series Version B-1 B-2)


Files affected: openssl, libssl1.0.0

<br>

S-Series Version B-1 and B- 2 with a Desktop

  1. Visit https://exacq.com/files.

    Username: evsupport
    Password: evsupport
  2. Click on the Heartbleed folder and download the two files to the Desktop. Alternately, you can download them to a portable drive and save them to the server.
  3. Double-click each file to install.
  4. If you see a message stating that a newer repository is available, click OK to continue the installation.
  5. After the installations are complete, delete the files from the Desktop.

    If you have configured SSH connections to the computer, the next time you connect you will get a Security Warning message. This is expected, and the script will update the server’s SSH keys.
Categories
Knowledge Support Support Categories Products exacqVision Hardware

exacqVision and Heartbleed

In April 2014 a Security Advisory was issued by the OpenSSL project notifying the public of a serious vulnerability in the encryption software used by a large number of companies. (For detailed information, visit http://heartbleed.com/.) Exacq Technologies took immediate action to assess how this affects its products.

<br>

exacqVision uses OpenSSL for a few functions, but the version affected is used only in a small number of exacqVision products:

<br>

exacqVision Server and Client 6.0 for Window

OpenSSL 1.0.1e is used in exacqVision 6.0, released in March 2014. However, the use of this product is not subject to the Heartbleed vulnerability. You can optionally upgrade to the latest version that includes updated OpenSSL at https://exacq.com/support/downloads.php.

<br>

exacqVision S-Series


exaqVision S-Series systems use Ubuntu 12.04, which includes the affected version of OpenSSL. However, only specific non-default configurations expose the system to the Heartbleed vulnerability. See https://exacq.com/kb/?crc=61212 details.

<br>

exacqVision-and-Heartbleed-1.pdf