CVE-2022-21938: Product Security Advisories

Johnson Controls keeps your building management systems, IT infrastructures, and connected equipment secure with a firm commitment to technological innovation and continual product development.

This includes creating product security advisories as an essential part of our rapid response protocol for cybersecurity incidents. You can learn about problems we identified — as well as the actions we took to mitigate risk — right here.

2022 Product Security Advisories

Title/Security Advisory ID

Affected Product

Overview

Mitigation

Initial Publication Date

Last updated

Metasys
JCI-PSA-2022-10

Metasys

Vulnerabilities impacting Metasys ADS/ADX/OAS Servers

See link for general guidance

June 14, 2022

June 14, 2022

Spring4Shell
JCI-PSA-2022-14 v3

General

General Guidance

See link for general guidance

April 19, 2022

May 20, 2022

Metasys
JCI-PSA-2022-09

Metasys

Vulnerability impacting Metasys ADS/ADX/OAS Servers versions 10 and 11

See link for general guidance

May 5, 2022

May 5, 2022

Metasys ADS/ADX/OAS
JCI-PSA-2022-08

Metasys

Vulnerability impacting Metasys ADS/ADX/OAS Servers versions 10 and 11

See link for general guidance

April 28, 2022

April 28, 2022

Log4Shell
JCI-PSA-2021-23 v24

General

General guidance

See link for general guidance

December 14, 2021

April 21, 2022

Metasys System Configuration Tool (SCT) and System Configuration Tool Pro (SCT Pro)
JCI-PSA-2022-03

Metasys

Vulnerability impacting Metasys System Configuration Tool (SCT) and System Configuration Tool Pro (SCT Pro) all versions prior to 14.2.2

See link for general guidance

April 21, 2022

April 21, 2022

Metasys ADS/ADX/OAS Servers
JCI-PSA-2022-06

Metasys

Vulnerability impacting Metasys ADS/ADX/OAS Servers versions 10 and 11

See link for general guidance

April 14, 2022

April 14, 2022

Metasys ADS/ADX/OAS Servers
JCI-PSA-2022-02

Metasys

Vulnerability impacting Metasys ADS/ADX/OAS versions 10 and 11

See link for general guidance

March 17, 2022

March 17, 2022

DSC PowerManage
JCI-PSA-2022-01 v2

DSC

Vulnerability impacting DSC PowerManage versions 4.0 to 4.8

See link for general guidance

February 3, 2022

March 7, 2022

2021 Product Security Advisories

Title/Security Advisory ID

Affected Product

Overview

Mitigation

Initial Publication Date

Last updated

Log4Shell
JCI-PSA-2021-23 v9

General

General guidance

See link for general guidance

December 14, 2021

December 22, 2021

American Dynamics VideoEdge
JCI-PSA-2021-21

American Dynamics VideoEdge

Vulnerability impacting VideoEdge versions 5.4.1 to 5.7.1

See link for mitigation options

December 22, 2021

December 22, 2021

exacqVision Enterprise Manager
JCI-PSA-2021-24

exacqVision Enterprise Manager

Vulnerability impacting all versions of exacqVision Enterprise Manager up to and including version 21.12

See link for mitigation options

December 20, 2021

December 20, 2021

Kantech Entrapass
JCI-PSA-2021-22

Kantech Entrapass

Vulnerability impacting Entrapass all versions prior to 8.40

See link for mitigation options

December 2, 2021

December 2, 2021

CEM Systems AC2000
JCI-PSA-2021-20

CEM Systems AC2000

Vulnerability impacting AC2000 all versions prior to 10.6

See link for mitigation options

November 30, 2021

November 30, 2021

American Dynamics VideoEdge
JCI-PSA-2021-17

American Dynamics VideoEdge

Vulnerability impacting VideoEdge versions prior to 5.7.1

See link for mitigation options

November 2, 2021

November 2, 2021

American Dynamics victor Video Management System
JCI-PSA-2021-19

American Dynamics victor Video Management System

Vulnerability impacting victor Video Management System version 5.7 and prior

See link for mitigation options

October 28, 2021

October 28, 2021

exacqVision Server
JCI-PSA-2021-18

exacqVision Server

Vulnerability impacting exacqVision Server 32-bit version 21.06.11.0 or older

See link for mitigation options

October 7, 2021

October 7, 2021

exacqVision Web Service
JCI-PSA-2021-16

exacqVision Web Service

Vulnerability impacting exacqVision Web Service version 21.06.11.0 or older

See link for mitigation options

October 7, 2021

October 7, 2021

Kantech KT-1 Door Controller
JCI-PSA-2021-14

Kantech KT-1 Door Controller

Vulnerability impacting all version Kantech KT-1 Controller including 3.01

See link for mitigation options

September 10, 2021

September 10, 2021

Tyco Illustra
JCI-PSA-2021-13

Tyco Illustra

Vulnerability impacting specific versions Tyco Illustra

See link for mitigation options

August 31, 2021

August 31, 2021

CEM Systems AC2000
JCI-PSA-2021-15

CEM Systems AC2000

Vulnerability impacting specific versions CEM Systems AC2000

See link for mitigation options

August 26, 2021

August 26, 2021

Kantech
KT-1 Door Controller
JCI-PSA-2021-12

Kantech
KT-1 Door Controller

Vulnerability impacting all versions Kantech KT-1 Door Controller including 2.09.02 and earlier

See link for mitigation options

August 19, 2021

August 19, 2021

Software House C•CURE 9000
JCI-PSA-2021-10 v2

Software House C•CURE 9000

Vulnerability impacting all versions of Software House C•CURE 9000 prior to version 2.80

See link for mitigation options

July 01, 2021

August 12, 2021

Facility Explorer
JCI-PSA-2021-11

Facility Explorer

Vulnerability impacting Facility Explorer SNC Series Supervisory Controllers (F4-SNC)

See link for mitigation options

July 01, 2021

July 01, 2021

Software House C•CURE 9000
JCI-PSA-2021-10

Software House C•CURE 9000

Vulnerability impacting all versions of Software House C•CURE 9000 prior to version 2.80

See link for mitigation options

July 01, 2021

July 01, 2021

exacqVision Web Service
JCI-PSA-2021-09

exacqVision Web Service

Vulnerability impacting all versions of exacqVision Web Service including 21.03

See link for mitigation options

June 24, 2021

June 24, 2021

exacqVision Enterprise Manager
JCI-PSA-2021-08

exacqVision Enterprise Manager

Vulnerability impacting all versions of exacqVision Enterprise Manager including 20.12

See link for mitigation options

June 24, 2021

June 24, 2021

Metasys Servers, Engines, and SCT Tools Web Services
JCI-PSA-2021-05

Metasys Servers, Engines, and SCT Tools Web Services

Vulnerability impacting web services for Metasys Servers, Engines, and SCT Tools

See link for mitigation options.

June 04, 2021

June 04, 2021

American Dynamics VideoEdge
JCI-PSA-2021-07

American Dynamics
VideoEdge

Vulnerability impacting all versions of VideoEdge prior to 5.7.0

See link for mitigation options.

May 27, 2021

May 27, 2021

American Dynamics Tyco AI
JCI-PSA-2021-06

American Dynamics Tyco AI

Vulnerability impacting all versions of Tyco AI up to and including v1.2

See link for mitigation options.

May 13, 2021

May 13, 2021

exacqVision Network Video Recorder
JCI-PSA-2021-04

exacqVision Network Video Recorder

Vulnerability impacting specific versions of the exacqVision Network Video Recorder

See link for mitigation options.

April 29, 2021

April 29, 2021

exacqVision Web Service
JCI-PSA-2021-03

exacqVision Web Service

Vulnerability impacting all versions of exacqVision Web Service

See link for mitigation options.

March 18, 2021

March 18, 2021

Metasys Report Engine (MRE) Web Services
JCI-PSA-2021-02

Metasys Report Engine (MRE) Web Services

Vulnerability impacting specific versions of Metasys Report Engine (MRE) Web Services

See link for mitigation options.

February 18, 2021

February 18, 2021

Sur-Gard
JCI-PSA-2021-01

Sur-Gard System 5 receivers

Vulnerability impacting Sur-Gard System 5 receivers

See link for mitigation options.

January 26, 2021

January 26, 2021

AD victor Web Client and SWH C•CURE Web Client

JCI-PSA-2020-9 v2

American Dynamics victor Web Client and Software House C•CURE Web Client

Vulnerability impacting specific versions of American Dynamics victor Web Client and Software House C•CURE Web Client

See link for mitigation options.

October 08, 2020

January 05, 2021

2020 Product Security Advisories

Title/Security Advisory ID

Affected Product

Overview

Mitigation

Initial Publication Date

Last updated

AD victor Web Client and SWH C•CURE Web Client
JCI-PSA-2020-10 v2

American Dynamics victor Web Client and Software House C•CURE Web Client

Vulnerability impacting specific versions of American Dynamics victor Web Client and Software House C•CURE Web Client

See link for mitigation options.

November 19, 2020

November 24, 2020

victor Web Client
JCI-PSA-2020-09

victor Web Client

Vulnerability impacting versions of victor Web Client

Upgrade all versions of victor Web Client to v5.6.

October 8, 2020

October 8, 2020

Sur-Gard
JCI-PSA-2020-08

Sur-Gard System 5 receivers

Vulnerability impacting Sur-Gard System 5 receivers

See link for mitigation options.

August 20,2020

August 20, 2020

exacqVision
JCI-PSA-2020-07 v2

exacqVision Web Service and exacqVision Enterprise Manager

Vulnerability impacting exacqVision Web Service and exacqVision Enterprise Manager

All users should upgrade exacqVision Web Service to version 20.06.4 or higher and exacqVision Enterprise Manager to version 20.06.5 or higher.

June 18, 2020

July 2, 2020

C•CURE 9000/victor
JCI-PSA-2020-4 v4

Software House C•CURE 9000 and American Dynamics victor Video Management System

Vulnerability impacting Software House C•CURE 9000 and American Dynamics victor Video Management System software installer.

See link for mitigation options.

May 21, 2020

June 2, 2020

Kantech EntraPass
JCI-PSA-2020-6 v1

All versions of Kantech EntraPass editions up to and including v8.22

Vulnerability impacting system permissions for all versions of Tyco Kantech EntraPass Security Management Software Editions.

All users should upgrade Kantech EntraPass Editions to version 8.23.

May 26, 2020

May 26,2020

BCPro
JCI-PSA-2020-5 v1

BCPro

Vulnerability impacting the BCPro and BCT software.

A patch has been developed to address this issue.

April 23, 2020

April 23, 2020

Metasys XXE
JCI-PSA-2020-3 v1

Metasys Server

Vulnerability impacting the Metasys Server software products and some network engines.

A patch has been developed to address this issue.

March 10, 2020

March 10, 2020

SmartService API
JCI-PSA-2020-2 v1

Kantech EntraPass

Vulnerability impacting the SmartService API Service option in some editions of Kantech EntraPass.

Upgrade impacted Kantech EntraPass Global and Corporate edition software to version 8.10.

March 10, 2020

March 10, 2020

ElasticSearch Kibana
JCI-PSA-2020-1 v1

Metasys Server 10.0 using Kibana version 6.2.3

Vulnerabilities impacting ElasticSearch/Kibana visualizer component.

Remove the Windows component called Kibana-6.2.3 from computers running Metasys Server (Release 10.0).

January 31, 2020

January 31, 2020

2019 Product Security Advisories

Title/Security Advisory ID

Affected Product

Overview

Mitigation

Initial Publication Date

Last updated

Flexera FlexNet Publisher -
JCI-PSA-2019-12 v1

Software House C•CURE v2.70 and earlier running FlexNet Publisher version 11.16.1.0 and earlier

Vulnerabilities impacting the Flexera FlexNet Publisher licensing
manager

Install C•CURE 9000 v2.70 Service Pack 3 Critical Update 05 (Unified 3.70 SP3 CU05) or upgrade to C•CURE 9000 v2.80

December 3, 2019

December 3, 2019

PC Annunciator -
JCI-PSA-2019-11 v1

TrueAlarm Fire Alarm
System, 4190 PC Annunciator

Remote Desktop Services Remote Code Execution Vulnerability (a.k.a. “BlueKeep”)

Apply all applicable Microsoft security updates

November 21, 2019

November 21, 2019

Facility Explorer -
JCI-PSA-2019-10 v1

Facility Explorer-
FX 14.7.2, FX 14.4, FX 6.5

Vulnerabilities exist in the QNX operating system used in
Facility Explorer

Apply available QNX patch or update

October 30, 2019

October 30, 2019

Metasys ICS-CERT Advisory ICSA-19-227-01

JCI-PSA-2019-06 v1
CVE-2019-7593
CVE-2019-7594

Metasys® ADS/ADX servers and NAE/NIE/NCE engines impacting versions prior to 9.0.

An attacker with access to the shared RSA key pair or a hardcoded RC2 key could potentially decrypt captured network traffic between the Metasys® ADS/ADX servers or NAE/NIE/NCE engines and the connecting Site Management Portal (SMP) user client

These issues were addressed in version 9.0 of these Metasys® components. We recommend upgrading all Metasys® ADS/ADX servers and NAE/NIE/NCE engines to at least version 9.0 to assure all enhancements in this latest release are active. Sites should also be configured with trusted certificates

August 15, 2019

August 15, 2019

Bluetooth “KNOB” attack or BR/EDR Key Negotiation Vulnerability

CVE-2019-9506 JCI-PSA-2019-08 v1

Find out more about from NIST National Vulnerability Database (NVD) and MITRE CVE® List.

Security advisories for affected products will be appended to this web page as they are made available.

The PSA IDs for each product specific advisory has common root followed by “.x” where x is the instance number (JCI-PSA-2019-08.x).

A researcher has identified a vulnerability that affects Bluetooth devices that employ Bluetooth BR/EDR Bluetooth Core specification versions 1.0 through 5.1

Refer to respective Product Security Advisories (when released)

August 13, 2019

August 13, 2019

JCI-PSA-2019-03

Please visit the ICS-CERT advisory linked below for complete information and additional resources.

ICS-CERT-19-199-01

exacqVision Server 9.6 and 9.8 application running on Windows operating system (all supported versions of Windows).

On March 28, 2019, Tyco security solutions published a product security advisory for exacqVision Server Application

Please reference the linked Johnson Controls advisory below to find mitigation steps: Click Here

March 28, 2019

July 18, 2019

TrueInsight Module Vulnerability
JCI-PSA-2019-05

TrueInsight modules used to connect the Simplex® 4007ES, 4010ES, 4100ES, and 4100U Fire Alarm Control Panels

This vulnerability impacts all TrueInsight modules. If properly exploited, this vulnerability could result in unauthorized access to the fire system. Unfortunately, there is no patch available to fix the vulnerability

Please reference the linked Johnson Controls advisory below to find mitigation steps: Click Here

July 8, 2019

July 8, 2019

Microsoft® Remote Desktop Services Remote Code Execution Vulnerability (a.k.a. “BlueKeep”)

Microsoft® Remote Desktop Services Remote Code Execution Vulnerability (a.k.a. “BlueKeep”).

Vulnerable in-support systems include Windows 7 operating system, Windows Server® 2008 R2, and Windows Server 2008 systems.

Out-of-support but affected operating systems include Windows Server 2003 and Windows XP® operating systems

Microsoft discovered a vulnerability in its Remote Desktop service that is included in most versions of a wide variety of its operating systems. Although this vulnerability is not associated with any specific Johnson Controls application, it does impact the computer environments that can host those applications

Microsoft has released a product update that patches this security issue.

Please reference the linked advisory below to find mitigation steps: Click Here

May 22, 2019

May 22, 2019

ICS-CERT Advisory ICSA-19-163-01

Please visit the ICS-CERT advisory linked above for complete information and additional resources.

ExacqVision (ESM) v5.12.2 and all prior versions of ESM running on a Windows operating system.

This issue does not impact Linux deployments with permissions that are not inherited from the root directory

On February 15, 2019, Tyco security solutions published a product security advisory for ExacqVision Enterprise System Manager (ESM)

Please reference the linked Tyco advisory below to find mitigation steps: Click Here

February 15, 2019

March 28, 2019

2018 Product Security Advisories

Title/Security Advisory ID

Affected Product

Overview

Mitigation

Initial Publication Date

Last updated

CPP-PSA-20180-02 v1

Facility Explorer™ Path Traversal and Improper Authentication Vulnerabilities

ICS CERT Notice ICSA-19-022-01

CVE-2017-16744

CVE-2017-16748

Please visit the ICS CERT notice linked above for complete information and additional resources.

Facility Explorer 6.x (Niagara AX Framework™) systems, prior to 6.6

Facility Explorer 14.x (Niagara 4) systems, prior to 14.4u1

_Facility Explore_r Software Release 6.6 and 14.4u1 includes several fixes and important vulnerability mitigations for cybersecurity protection.

Customers should upgrade to the latest available product versions.

Johnson Controls recommends taking steps to minimize risks to all building automation systems.

The Department of Homeland Security’s ICS-CERT also provides a section for Control Systems Security Recommended Practices.

January 11, 2018

September 4, 2018

ICSA-14-350-02

Metasys® Building Automation System (BAS) Information Disclosure Vulnerability

ICS Cert Notice ICSA-18-212-02

CVE-2018-10624

Please visit the ICS CERT notice linked above for complete information and additional resources.

Metasys system versions 8.0 and prior. BCM (now BC Pro) all versions prior to 3.0.2

A previous version of the Metasys BAS could potentially reveal technical information when an authentication error occurs in the BAS server.

Customers should upgrade to the latest product versions. Contact your Johnson Controls Sales or Service representative for details.

Johnson Controls recommends taking steps to minimize risks to all BASs.Please reference our
Metasys Security Page.The Department of Homeland Security’s ICS-CERT also provides a section for Control Systems Security Recommended Practices.

March 17, 2015

August 27, 2018

Pub # GPS-PSA-2018-02

“Meltdown” and “Spectre” Vulnerabilities CERT Vulnerability Note VU#584653

Johnson Controls Product Security Incident Response Team (PSIRT) is assessing potential impact to Johnson Controls products. Find Updates Here.

Researchers recently disclosed new security vulnerabilities that impact aspects of many modern processors and that could be exploited to allow an attacker to obtain access to sensitive data. These vulnerabilities allow for side-channel attacks to read data from memory. These vulnerabilities can affect personal computers, mobile devices, and the cloud.

Although there are currently no known workarounds, below are some suggested actions that customers can take in the short term to reduce their risks:

Check this site regularly for updated information.

As always, prior to deploying software patches or updates, test such patches or updates on non-production systems and follow all vendor instructions and warnings to ensure such patches or updates do not impair system functionality.

Although not specific to this vulnerability, always implement proper building system and corporate network segmentation and boundary security and access controls.

January 10, 2018

January 26, 2018

2017 Product Security Advisories

Title/Security Advisory ID

Affected Product

Overview

Mitigation

Initial Publication Date

Last updated

“KRACK” Wi-Fi Vulnerability Attacks: CERT Vulnerability Note VU#228519

Johnson Controls Product Security Incident Response Team (PSIRT) is assessing potential impact to Johnson Controls products. Update to follow.

A significant weakness in a commonly used Wi-Fi security protocol was announced recently which could put the confidentiality of data transferred through wireless at risk. The attack, dubbed “KRACK” affects a newly discovered weakness in the WPA2 protocol which is commonly to secure Wi-Fi networks.

An attacker within range of a victim can potentially exploit these weaknesses to access some types of information transmitted between wireless clients and wireless network access points, thereby reducing the confidentiality and integrity of the data being transmitted.

October 16, 2017

November 16, 2017

US CERT Alert TA17-132A017-0143
“Indicators Associated with WannaCry Ransomware”

All Metasys® software releases running on affected OS’, All NxE55 series, all NxE85 series and LCS8520

IT systems worldwide have been affected by a prolific Ransomware attack which leverages a Microsoft SMB protocol vulnerability which may affect some Metasys system components.

Apply Microsoft patch for MS17-010 for host operating systems. Contact your JCI Field Representative for remediation details for specific Metasys products.

May 12, 2017

June 7, 2018

2015 Product Security Advisories

Title/Security Advisory ID

Affected Product

Overview

Mitigation

Initial Publication Date

Last updated

ICSA-14-350-02

Metasys® releases 4.1 to 6.5: ADS, ADX, LCS8520, NAE, NIE, NxE8500

Independent security researcher Billy Rios identified two vulnerabilities in Johnson Controls Metasys® building automation system.

Johnson Controls has produced patches for each affected release that mitigate these vulnerabilities. Contact your Johnson Controls representative for more information.

March 17, 2015

August 27, 2018

US CERT Alert TA17-132A017-0143
“Indicators Associated with WannaCry Ransomware”

All Metasys® software releases running on affected OS’, All NxE55 series, all NxE85 series and LCS8520

IT systems worldwide have been affected by a prolific Ransomware attack which leverages a Microsoft SMB protocol vulnerability which may affect some Metasys system components.

Apply Microsoft patch for MS17-010 for host operating systems. Contact your JCI Field Representative for remediation details for specific Metasys products

May 12, 2017

June 7, 2018

2014 Product Security Advisories

Title/Security Advisory ID

Affected Product

Overview

Mitigation

Initial Publication Date

Last updated

CVE-2014-0160"Heartbleed"

None

A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data.

No mitigation required

August 8, 2014

August 25, 2015

CVE-2014-6271"Shellshock"

None

A flaw in the GNU Bourne-Again Shell (Bash) could allow an attacker to remotely execute shell commands.

No mitigation required

September 25, 2014

August 25, 2015

CVE-2014-3566
US-CERT Alert TA-14290A

Metasys® Release 6.5, 7.0, 8.0: Application and Data Server (ADS), Extended Application and Data Server (ADX), ADS-Lite, Open Data Server (ODS), Metasys® Advanced Reporting System, Metasys® Export Utility, Ready Access Portal, and Metasys® User Interface (UI) Release 1.5, 1.5.1, and 2.0

Commonly referred to as Padding Oracle on Downgraded Legacy Encryption (POODLE), this vulnerability may allow an attacker to decrypt cipher
text using a padding oracle side channel attack. The attack leverages the ability for the communication to be downgraded to SSL V3, an older and less secure version of SSL which is vulnerable to attack.

This does not involve any patches or updates to our products, simply a reminder to address this at the Microsoft operating system level.
Disable SSLv3 on the server and standalone computers hosting the affected Metasys software

October 17, 2014

September 30,2016

For everything from asking a question to raising an alarm, please use this form for a quick response from our Johnson Controls cybersecurity organization.

Report a potential vulnerability or cybersecurity concern | Ask about products and services | Learn about protecting your smart building