← Back to home
ICSA-22-286-05  ·  Published 2022-10-13  ·  View on CISA ICS-CERT ↗

Hitachi Energy Lumada Asset Performance Management Prognostic Model Executor Service

CVSS 7.5 HIGH CISA KEV — Known Exploited

Risk Summary

Successful exploitation of these vulnerabilities could crash the Prognostic Model Executor and could allow remote code execution.

CVEs (2)

Remediations

  • Hitachi Energy recommends applying the most recent patch version of Lumada Asset Performance Management (APM) or upgrading to a newer, unaffected major version:
  • Lumada Asset Performance Manager (APM) versions 6.0.0.0 to 6.0.0.4: Apply patch version 6.0.0.5 or upgrade to 6.2.0.3
  • Lumada Asset Performance Manager (APM) versions 6.1.0.0 and 6.1.0.1: Apply patch version 6.1.0.2 or upgrade to 6.2.0.3
  • Lumada Asset Performance Manager (APM) versions 6.2.0.0 to 6.2.0.2: Apply patch version 6.2.0.4 or upgrade to 6.4.0.0
  • Lumada Asset Performance Manager (APM) versions 6.3.0.0 to 6.3.0.2: Apply patch version 6.3.0.3 or upgrade to 6.4.0.0
  • Note: For Lumada Asset Performance Manager (APM) online service (SaaS) version 6.3.220323.0 and prior, Hitachi Energy has already updated all SaaS environments.
  • For additional information, support and to upgrade users should contact Hitachi Energy.
  • Hitachi Energy recommends disabling the Prognostic Model Executor service if users cannot upgrade to the latest patch version.
  • Disabling the Prognostic Model Executor service will cause the Lumada APM application to stop performing condition assessment calculations (for all assets configured to use prognostic models) and to accumulate calculation requests in the internal messaging queue. As the requests in the queue have a limited lifetime (set by messaging bus topic retention), when that lifetime expires, the request will be lost.
  • When the Prognostic Model Executor service is restored to function (after applying the suggested remediation steps and according to the installation guide) it will start processing the accumulated requests. When the period of accumulation is long, this may result in a prolonged period of intensive calculations.
  • If any requests were lost, the affected assets may be missing historical or even current condition assessments. To ensure the current assessments are up to date, the customer should trigger recalculation of condition of all assets using the performance models.
  • Hitachi Energy also recommends following the least privilege principle by limiting and controlling access to the “Administrator” role or “Import” role privileges in the application programmable interface (API). For more information, users should see Hitachi Energy advisory 8DBD000105.

Affected Vendors

Hitachi Energy

Affected Products (5)

Hitachi Energy · Lumada Asset Performance Manager (APM) <= 6.3.220323.0
Hitachi Energy · Lumada Asset Performance Manager (APM) >= 6.0.0.0 | <= 6.0.0.4
Hitachi Energy · Lumada Asset Performance Manager (APM) 6.1.0.0 | 6.1.0.1
Hitachi Energy · Lumada Asset Performance Manager (APM) >= 6.2.0.0 | <= 6.2.0.2
Hitachi Energy · Lumada Asset Performance Manager (APM) >= 6.3.0.0 | <= 6.3.0.2

Affected Sectors

Energy

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more