From Tridium's engineering team. View their article here
. Download the patches here
Please Update Your Niagara Software: Hx Profile Vulnerability
Security Bulletin #: SB 2022-Tridium-1
CVSSv3: 5.5 (Medium | AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
The following patches resolve a security issue affecting users that use any Hx Profile (HTML5 Hx Profile, Default Hx Profile, etc.) to access a Niagara station through the browser. This could allow remote execution of a script in the client’s browser. This applies to all supported versions of Niagara (Niagara 4.10 and Niagara 4.11) and may impact unsupported versions as well. Tridium strongly recommends that you apply the most recent patch for your version of Niagara.
Tridium has developed a fix for the vulnerability which is available as a separate patched web-rt.jar module. The relevant patched web-rt.jar module needs to be added to installations running current supported versions of Niagara releases (Niagara 4.10u1 and Niagara 4.11). Future releases of supported versions will include the fix and not require this patch to be applied separately.
- Installations of Niagara 4.10u1 and Niagara Enterprise Security 4.10u1 should install the web-rt.jar version 220.127.116.11.1 (or later)
- Installations of Niagara 4.11 and Niagara Enterprise Security 4.11 should install the web-rt.jar version 18.104.22.168.1 (or later)
- Installations of earlier/unsupported Niagara versions should be upgraded to one of the supported versions above and the relevant patch module applied.
These updates are available on the Cochrane Tech Services website. You can download them here.
It is important that all Niagara customers for all supported platforms update their systems with these releases to mitigate risk.
In addition to updating your system, Tridium recommends that customers with affected products take the following steps to protect themselves:
- Review and validate the list of users who are authorized and who can authenticate to Niagara.
- Allow only trained and trusted persons to have physical access to the system, including devices that have connection to the system though the Ethernet port.
- Consider using a VPN or other means to ensure secure remote connections into the network where the system is located, if remote connections are enabled.
- Sign all modules and program objects provided by third-party teams.
- Review the Niagara Hardening Guide and implement the recommended techniques for securing your installation.
Cybersecurity is a priority at Tridium. We are dedicated to continuously improving the security of our products, and we will continue to update you as we release new security features, enhancements, and updates.
- CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- YOUR USE OF THE INFORMATION IN THIS DOCUMENT OR MATERIALS LINKED FROM THIS DOCUMENT IS AT YOUR OWN RISK.
- TRIDIUM RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME AND WITHOUT NOTICE.
- TRIDIUM PROVIDES THE CVSS SCORES 'AS IS' WITHOUT WARRANTY OF ANY KIND. TRIDIUM DISCLAIMS THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PURPOSE AND MAKES NO EXPRESS WARRANTIES EXCEPT AS MAY BE STATED IN A WRITTEN AGREEMENT WITH AND FOR ITS CUSTOMERS
- IN NO EVENT WILL TRIDIUM BE LIABLE TO ANYONE FOR ANY DIRECT, INDIRECT. SPECIAL, OR CONSEQUENTIAL DAMAGES.
You can download the patches on the Cochrane Tech Services website here