ctrlX CORE - IDE App affected by OpenSSL and Python Vulnerabilities

Published

2021-04-30 00:00:00 UTC

Summary

BOSCH-SA-017743: Multiple vulnerabilities affecting OpenSSL Versions previous to 1.1.1k and Python 0 through 3.9.1, have been reported. Affected versions are included in the ctrlX CORE - IDE App. In order to successfully exploit these vulnerabilities, an attacker requires access to the network or system. Two vulnerabilities (CVE-2021-3177 and CVE-2021-27619) are notably critical, as they can be easily exploited. The exploitation of these vulnerabilities can lead to remote code execution (CVE-2021-3177, CVE-27619), unexpected communication behavior (CVE-2021-2336, CVE-2020-26116), crash and Denial of Service (CVE-2021-3449, CVE-2021-23841, CVE-2021-23840, CVE-27619). The affected functions of the aforementioned vulnerabilities are not used directly by the ctrlX CORE - IDE App and hence, the exploitation risk is low. Nonetheless, vulnerable versions of these components are included and it cannot be completely ruled out that these functions might be indirectly called. For this reason, Bosch Rexroth recommends to update the affected product to their latest version. These vulnerabilities do not affect the ctrlX CORE Runtime.