Support procedure for reporting newly discovered cyber security vulnerabilities in Exacq Software 

This document will outline the procedures expected from Exacq Support staff in the event of discovering a previously unreported security vulnerability in an exacqVision product. Product  Any exacqVision product Procedure: Our Global Product Security team will then be responsible for following up with this customer and resolving vulnerability. <br>

Removing MegaRAID Storage Manager(MSM)

Description MegaRAID Storage Manager (MSM) has been found to have some exposure to CVE-2021-44228, the Apache Log4j remote code execution vulnerability, see statement from Broadcom Log4j2 Exposure (CVE-2021-44228).   It is possible that MSM was installed on your exacqVision NVR even though a RAID controller card is not present. If that is the case MSM can… Continue reading Removing MegaRAID Storage Manager(MSM)

Does exacqVision Require Microsoft Silverlight?

Summary Microsoft Silverlight was installed on exacqVision Servers as part of Kantech Entrapass Web and has been flagged by vulnerability scans.   Description Microsoft Silverlight reached the end of support on October 12, 2021. Product Solution

Updating Apache and Apache Solr on exacqVision Enterprise Manager – Windows

To mitigate currently known vulnerabilities, the following updates are recommended. Apache to 2.4.51, Apache Solr to 7.5.0 and exacqVision Enterprise Manager (EM) to 21.12.1 or higher. Note: Updates for both Apache and Apache Solr are available as part of the EM install package for version 21.09 and higher.  However, updating to EM versions 21.12 or… Continue reading Updating Apache and Apache Solr on exacqVision Enterprise Manager – Windows

An Unauthenticated Remote User Could be Given Access to Credentials Stored in the Server

Overview: Johnson Controls has confirmed a vulnerability impacting the exacqVision Web Service. The exacqVision Web Service is also included in the exacqVision Server Bundle along with the exacqVision Client and exacqVision Server. The exacqVision Web Service allows users to retrieve video and other data from exacqVision servers using a browser and mobile application. When passthrough… Continue reading An Unauthenticated Remote User Could be Given Access to Credentials Stored in the Server

An Unauthenticated Remote User Could Exploit a Potential Integer Overflow Condition in the Server and Cause DoS

Overview: Johnson Controls has confirmed a vulnerability impacting Exacq Technologies exacqVision. The exacqVision Server is also included in the exacqVision Server Bundle along with the exacqVision Client and exacqVision Web Service. Under certain circumstances an integer overflow condition could exist in the exacqVision Server. Impact: An unauthenticated remote user could exploit a potential integer overflow… Continue reading An Unauthenticated Remote User Could Exploit a Potential Integer Overflow Condition in the Server and Cause DoS

PostgreSQL 9.6 End of Life

PostgreSQL 9.6 is currently bundle with exacqVision Enterprise Manager.  This version will reach end of life in November 2021.  The PostgreSQL Global Development Group will release the final update for 9.6 on November 11, 2021.  See their versioning page for details at https://www.postgresql.org/support/versioning/ AWS has announced PostgreSQL 9.6 on will reach end of life on… Continue reading PostgreSQL 9.6 End of Life

Product Security Advisory – CVE-2021-3156

OverviewUbuntu recently announced security vulnerabilities that impact the exacqVision Network Video Recorder versions which use the Ubuntu Linux operating system. These affect a built-in Linux application called “Sudo” which controls the provisioning of super user (administrator) access to the operating system which, under certain circumstances, could be leveraged by an attacker to achieve unauthorized privilege… Continue reading Product Security Advisory – CVE-2021-3156