ABB Ability Symphony Plus Engineering

Risk Summary

ABB became aware of vulnerability in the products versions listed as affected in the advisory. The ABB S+ Engineering product versions are affected by vulnerabilities in PostgreSQL version 13.11 and earlier versions. If an attacker gains access to a site’s S+ Client Server network, they could exploit such vulnerabilities by executing arbitrary code and potentially compromising the entire system.

CVEs (4)

Remediations

• ABB advises all customers to review their installations to determine if they are using an impacted product as listed above, no further analysis or tools are needed to make this determination. The recommended immediate actions per product are listed below: - Systems using S+ Engineering 2.2 through 2.4 SP2 should upgrade to S+ Engineering 2.4 SP2 RU1 (re-leased in December 2024) or later. - End users who are unable to install one of these updates should immediately look to implement the Mitigation and Workarounds listed below as this will restrict or prevent an attacker’s ability to com-promise the system. ABB recommends that customers apply the update at the earliest convenience.
• Any exploit of these vulnerabilities would require that the attacker has access to the site’s S+ client/server network. Following ABB’s recommended security practices, including network architecture and perimeter firewall, are mitigating factors in preventing external access to the S+ client/server net-work. Refer to section “General security recommendations” for further advise on how to keep your system secure.
• No workarounds are available. Assess the installation specific risk based on this advisory. Use the recommendations described under “Mitigating factors” or “Recommended immediate actions”.

Affected Vendors

Affected Products (9)

Affected Sectors

Chemical, Critical Manufacturing, Energy, Water and Wastewater, Water and Wastewater