Thursday, December 23, 2021

Review - 2 Advisories Published – 12-23-21

Today, CISA’s NCCIC-ICS published two control system security advisories for products from Johnson Control and Moxa.

Johnson Controls Advisory - This advisory discusses the original Log4Shell vulnerability in the Johnson Control Exacq Technologies Enterprise Manager.

NOTE: It is interesting that nowhere does the NCCIC-ICS advisory mention the Apache vulnerabilities except by the CVE #. This would have been a good place to publish a reference to yesterday’s CISA, et al, advisory on “Mitigating Log4Shell and Other Log4j-Related Vulnerabilities”, especially since this is the first NCCIC-ICS advisory on Log4Shell.

Moxa Advisory - This advisory describes a clear-text transmission of sensitive information vulnerability in the Moxa MGate MB3180/MB3280/MB3480 Series Protocol Gateways.

NOTE: It looks like NCCIC-ICS is reporting the wrong CVE number for this advisory.

For more details about these advisories, see my article at CFSN Detailed Analysis - - subscription required.

No comments:

 
/* Use this with templates/template-twocol.html */