Risk Summary
Successful exploitation of this vulnerability could allow a remote authenticated attacker access to sensitive information or deliver false information.
CVEs (1)
Remediations
- OSIsoft recommends upgrading to PI Web API 2021. Additional information can be found in the OSIsoft PI Web API security bulletin (registration required).
- Remove the OSIsoft.REST.Documentation.dll from the PI Web API installation directory.
- The PI Web API installation directory is available at this registry entry:\\HKLM\SOFTWARE\PISystem\WebAPI\InstallationDirectory
- The default PI Web API installation directory is:C:\Program Files\PIPC\WebAPI Removing this file will cause built-in documentation to no longer be available. Navigating to the PI Web API endpoint with a browser will result in an error; however, the PI Web API will continue to function as a REST API
- Documentation can be found at the OSIsoft website. Alternately, users are encouraged to limit access to PI Web API built-in documentation to dedicated development environments
- Avoid adding authentication type “Anonymous” in PI Web API configuration settings to limit exposure to authenticated users only
- Consider using a web application firewall to block html responses from PI Web API servers
- Audit the AF hierarchy to ensure there are no unauthorized databases, elements, or attributes
- For Kerberos authentication configurations, use Group Policy to deny network authentication to PI Server Administrator accounts on the PI Web API server.
- See the OSIsoft customer portal knowledge article for additional details and associated security updates (registration required).
Affected Vendors
OSIsoft LLC
Affected Products (1)
OSIsoft LLC
·
PI Web API
<= 2019 SPI
Affected Sectors
Multiple Sectors
Get alerted to advisories like this
OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.
Start free trial Learn more