ICSA-23-005-03 · Published 2023-01-05 · View on CISA ICS-CERT ↗

Hitachi Energy Lumada Asset Performance Management

CVSS 7.5 HIGH

Risk Summary

Successful exploitation of these vulnerabilities could cause a denial-of-service condition or unauthorized remote arbitrary code execution.

CVE-2022-3602 CVE-2022-3786 CVE-2022-37434

For all listed vulnerabilities: Lumada APM Version 6.5.0.1 or later.
Users should contact Hitachi Energy for instructions on acquiring and installing the new versions.
Note: Hitachi Energy has already remediated these vulnerabilities for cloud-based deployments (software-as-a-service) of Lumada APM.
Hitachi Energy encourages users to apply recommended security practices and firewall configurations.
Protect process control systems from physical access by unauthorized personnel.
Do not allow process control systems to have direct connections to the Internet.
Separate process control systems from other networks via a firewall system with a minimal number of exposed ports.
Have security updates applied to installed software components.
Do not use process control systems for personal use such as web browsing or checking emails.
Carefully scan portable computers and removable storage media for viruses before connection to a control system.
For more information, see Hitachi Energy advisory 8DBD000134.
For CVE-2022-37434 only: Lumada APM Version 6.4.0.1 or later.

Hitachi Energy

Hitachi Energy · Lumada APM 6.5.0.0

Hitachi Energy · Lumada APM >= 6.1.0.0 | <= 6.4.0.0 (CVE-2022-37434 only)

Energy

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.