Johnson Controls Metasys

Risk Summary

Successful exploitation of this vulnerability could give an authenticated Metasys user an unintended level of access to the server file system, allowing them to access or modify system files by sending specifically crafted web messages to the Metasys system.

CVEs (1)

Remediations

• Johnson Controls recommends that users of versions earlier than 9.0 upgrade to a supported release. Users of Version 9.0 (engine), 10.0, 10.1, or 11.0 are recommended to install the patch.
• Review all user accounts that are active or dormant and determine if they are still required through the Dormant User feature.
• Delete any user accounts if the user is no longer with the company or have been reassigned to another position where they no longer need to use Metasys.
• Monitor the audit logs as well as the Cyber Health Dashboard if the site has a Metasys Server at Release 10.1 or later to monitor user activity.
• Enforce a password change across the Metasys site on a regular basis.
• Please see Johnson Controls product security advisory number JCI-PSA-2021-05 for additional information.

Affected Vendors

Affected Products (1)

Affected Sectors

Critical Manufacturing