AVEVA InduSoft Web Studio and InTouch Edge HMI

Risk Summary

Successful exploitation of these vulnerabilities could allow a remote attacker to execute an arbitrary process using a specially crafted database connection configuration file.

CVEs (2)

Remediations

• AVEVA recommends affected users upgrade to the latest version of affected products. The following security updates address the vulnerabilities outlined in this advisory. Software updates can be downloaded from the Global Customer Support “Software Download” area or from the links below: The latest version of InduSoft Web Studio can be found at: http://download.indusoft.com/81.3.0/IWS81.3.0.zipThe latest version of InTouch Edge HMI can be found at (login required): https://softwaresupportsp.schneider-electric.com/#/producthub/details?id=52354For information on how to reach AVEVA support for a specific product, please refer to these links: AVEVA Software Global Customer Support and InduSoft Support.For the latest security information and security updates, please visit AVEVA's Security Central (login required) and InduSoft Security Updates.AVEVA has published Security Bulletin LFSEC00000133 on their website at the following location: https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec133.pdf

Affected Vendors

Affected Products (2)

Affected Sectors

Chemical, Commercial Facilities, Critical Manufacturing, Energy, Food and Agriculture, Transportation Systems, and Water and Wastewater