Latest News

Red Hat Security Advisory 2024-3759-03 - An update for the idm:DL1 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support.

Red Hat Security Advisory 2024-3758-03 - An update for the idm:DL1 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support.

Red Hat Security Advisory 2024-3757-03 - An update for ipa is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

Red Hat Security Advisory 2024-3756-03 - An update for the idm:DL1 module is now available for Red Hat Enterprise Linux 8.4 Advanced Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

Red Hat Security Advisory 2024-3755-03 - An update for the idm:DL1 module is now available for Red Hat Enterprise Linux 8.

Red Hat Security Advisory 2024-3754-03 - An update for ipa is now available for Red Hat Enterprise Linux 9.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.3 ATTENTION: Low attack complexity Vendor: Rockwell Automation Equipment: ControlLogix, GuardLogix, CompactLogix Vulnerability: Always-Incorrect Control Flow Implementation 2. RISK EVALUATION Successful exploitation of this vulnerability could compromise the availability of the device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Rockwell Automation reports that the following controllers are affected: ControlLogix 5580: V34.011 GuardLogix 5580: V34.011 1756-EN4: V4.001 CompactLogix 5380: V34.011 Compact GuardLogix 5380: V34.011 CompactLogix 5380: V34.011 ControlLogix 5580: V34.011 CompactLogix 5480: V34.011 3.2 Vulnerability Overview 3.2.1 Always-Incorrect Control Flow Implementation CWE-670 Rockwell Automation was made aware of a vulnerability that causes all affected controllers on the same network to result in a major nonrecoverable fault (MNRF/Assert). This vulnerability could be exploited by sending abnormal packets to the mDNS port. If explo...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Intrado Equipment: 911 Emergency Gateway (EGW) Vulnerability: SQL Injection 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute malicious code, exfiltrate data, or manipulate the database. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Intrado's 911 Emergency Gateway are affected: 911 Emergency Gateway (EGW): All versions 3.2 Vulnerability Overview 3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND ('SQL INJECTION') CWE-89 Intrado 911 Emergency Gateway login form is vulnerable to an unauthenticated blind time-based SQL injection, which may allow an attacker to execute malicious code, exfiltrate data, or manipulate the database. CVE-2024-1839 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.4 ATTENTION: Exploitable remotely/low attack complexity Vendor: AVEVA Equipment: PI Web API Vulnerability: Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to perform remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of AVEVA PI Web API, a RESTful interface to the PI system, are affected: AVEVA PI Web API: Versions 2023 and prior 3.2 Vulnerability Overview 3.2.1 Deserialization of Untrusted Data CWE-502 There is a vulnerability in AVEVA PI Web API that could allow malicious code to execute on the PI Web API environment under the privileges of an interactive user that was socially engineered to use API XML import functionality with content supplied by an attacker. CVE-2024-3468 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L). A C...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.0 ATTENTION: Low attack complexity Vendor: AVEVA Equipment: PI Asset Framework Client Vulnerability: Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of this vulnerability could allow malicious code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of AVEVA PI Asset Framework Client, a tool to model either physical or logical objects, are affected: PI Asset Framework Client: 2023 PI Asset Framework Client: 2018 SP3 P04 and all prior 3.2 Vulnerability Overview 3.2.1 Deserialization of Untrusted Data CWE-502 There is a vulnerability in AVEVA PI Asset Framework Client that could allow malicious code to execute on the PI System Explorer environment under the privileges of an interactive user that was socially engineered to import XML supplied by an attacker. CVE-2024-3467 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (AV:L/A...