Security Updates

The following is information which address known issues that have been reported.

In most, if not all cases, issues reported can be corrected by upgrading to the latest version of the OAS Platform. If you have any concerns or are experiencing an issue not listed below, contact our technical support team at support@oasiot.com.

OAS v17 contains several improvements that harden security and make communications even more efficient.
Read more about these improvements here.


CVE or Ref. Number Description Versions Affected Status
CVE-2022-26082
CVE-2022-26303
CVE-2022-26043
CVE-2022-26077
CVE-2022-26026
CVE-2022-26067
CVE-2022-27169

A vulnerability was reported in the OAS Engine API calls of Open Automation Software OAS Platform V16.00.0112.

Recommendations:
Upgrade your server to v17.
For prior versions, ensure the Default security Group is disabled and access to the OAS platform features are limited by assigning only necessary rights to additional security groups and users

Versions prior to v17 Corrected in v17
CVE-2022-26833

A vulnerability was reported in the OAS Engine REST API calls of Open Automation Software OAS Platform V16.00.0112.

Recommendations:
Upgrade your server to v17.
For prior versions, ensure the Default security Group is disabled and access to the OAS platform features are limited by assigning only necessary rights to additional security groups and users.
This vulnerability only exists when security is not enabled on the OAS server. As always, with Web HMI and REST API implementations, always enable SSL on unsecured networks.

Versions prior to v17 Corrected in v17