|Article No°||Product Name||Affected Version(s)|
|ABB Project Builder||<= 126.96.36.1992|
|ADM Project Builder Emerson in Emerson Integration Package||<= 188.8.131.523|
|All contained DTMs in Diagnostic Manager||184.108.40.2067 <= 220.127.116.1178|
|All contained DTMs in DTM Collection HART-Multiplexer||<= 18.104.22.168|
|All contained DTMs in DTM Collection Level Control Technology used with Level Radar LCR20, LTC50, LTC51, LRC57||<= 1.0.31|
|All contained DTMs in DTM Collection WirelessHART||<= 22.214.171.124|
|All contained DTMs in DTM Library HART used with 6500 Series||<= 126.96.36.199|
|All contained DTMs in FieldConnex Diagnostic Gateway FF DTM||<= 188.8.131.5278|
|All contained DTMs in HART DTM Library Enhanced used with PS3500-DM||<= 184.108.40.206|
|All contained DTMs in TMI-FF DTM||<= 220.127.116.11|
|AMS Alert Adapter in Emerson Integration Package||<= 18.104.22.1683|
|FDH-1 Manager||<= 22.214.171.1242|
|P+F DTMLibrary Modbus in DTM used with S1SD-1TI-1U||= V2.3.68|
|VisuNet Control Center||<= 4.7.1|
|VisuNet Factory Reset||= 5.x|
|VisuNet Factory Reset||<= 6.1.0|
|VisuNet GXP PC Service Tool||<= 1.1.0|
|VisuNet RM Shell||<= 5.5.0|
Critical vulnerabilities have been discovered in the utilized component log4net by Apache Software Foundation.
UPDATE A: Remediation: added fixed VisuNet Products
Apache log4net versions before 2.0.10 do not disable XML external entities when parsing log4net configuration files. This allows for XXE-based attacks in applications that accept attacker-controlled log4net configuration files.
Pepperl+Fuchs analyzed and identified affected devices.
In table “Affected products” packages are listed next to some products, this means that the products are only affected if the corresponding software is installed since the package implements the vulnerability.
To exploit the vulnerability, the access rights of an authorized user or admin are required.
The impact of the vulnerability on the affected products may result in
The CVSS environmental score is specific to the customer's environment and should therefore be individually assessed by the customer to accomplish final scoring.
The original CVE refers to a network access scenario. With our products, it is a local access scenario. For this reason, the risk of exploiting this vulnerability is reduced.
External countermeasures are needed for the remaining products.
The following protective measure is required for VisuNet devices and the PCs/Servers with an installed DTM:
The following affected DTM products can be updated to the listed version:
|FieldConnex DTM Collection||126.96.36.1999|
|FieldConnex Diagnostic Gateway FF DTM||188.8.131.5227|
|ABB Project Builder||184.108.40.2064|
|Honeywell Integration Package||220.127.116.11|
|Emerson Integration Package
[ADM Project Builder Emerson]
|Emerson Integration Package [AMS Alert Adapter]||18.104.22.168|
|DTM Collection HART-Multiplexer||22.214.171.124|
The following affected VisuNet products can be updated to the listed version:
|VisuNet RM Shell 5 (2016 LTSB)||126.96.36.1990|
|VisuNet RM Shell 5 (2019 LTSC)||188.8.131.523|
|VisuNet Factory Reset||184.108.40.2062|
|VisuNet Control Center||220.127.116.116|
|VisuNet GXP PC Service Tool||1.1.1|
END UPDATE A
CodeWrights GmbH reported this vulnerability to PEPPERL+FUCHS.
CERT@VDE coordinated with PEPPERL+FUCHS.