Severity:
High
Advisory ID:
PN1628
Data pubblicazione:
June 13, 2023
Ultimo aggiornamento:
June 13, 2023
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
CVE IDs
CVE-2021-35940,
CVE-2017-12613
Riepilogo
Apache Portable Runtime Vulnerability in FactoryTalk® Edge Gateway
Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 13, 2023
Affected Products
Affected Product | First Known in Software Version | Corrected in Software Version |
FactoryTalk® Edge Gateway | v1.03.00 | v1.04.00 |
Vulnerability Details
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.
CVE-2021-35940 IMPACT
An out of bounds array read vulnerability was fixed in the apr_time_exp*() function in the Apache Portable Runtime v1.6.3 (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.
Known Exploited Vulnerability (KEV) database:
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.
CVE-2021-35940 IMPACT
An out of bounds array read vulnerability was fixed in the apr_time_exp*() function in the Apache Portable Runtime v1.6.3 (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.
CVSS Base Score: 7.1
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE: CWE 125 Out-of-bounds Read
Known Exploited Vulnerability (KEV) database:
No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.
Risk Mitigation & User Action
Customers using the affected software are encouraged to apply the risk mitigation below, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
- Update to v1.04.00 which mitigates the issue.
- QA43240 - Recommended Security Guidelines from Rockwell Automation
Additional Resources
Copyright ©2022 Rockwell Automation, Inc.