Johnson Controls Sensormatic Electronics American Dynamics victor Web Client

Risk Summary

Successful exploitation of this vulnerability could allow an unauthenticated attacker on the network to create and sign their own JSON web token and use it to execute an HTTP API method without the need for valid authentication/authorization. Under certain circumstances, this could be used by an attacker to impact system availability by conducting a denial-of-service attack.

CVEs (1)

Remediations

• Johnson Controls advises users to maintain product installations at the latest release and provides several options for remediation of this issue. See below for details.
• victor Web Client: upgrade to v5.6 SP1 (victor Unified Client v5.6 SP1)
• C•CURE Web Client: upgrade to a minimum of v2.70 and install the relevant update below.
• C•CURE Web v2.70: install the update Web Client_c2.70_5.2_Update02
• C•CURE Web v2.80: install the update Web Client_c2.80_v5.4.1_Update04
• C•CURE Web v2.90: install the update CCureWeb_2.90_Update01
• For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2020-10.

Affected Vendors

Affected Products (1)

Affected Sectors

Critical Manufacturing