Security Updates

The following is information which address known issues that have been reported.

In most, if not all cases, issues reported can be corrected by upgrading to the latest version of the OAS Platform. If you have any concerns or are experiencing an issue not listed below, contact our technical support team at support@oasiot.com.

The latest release of OAS contains several improvements that harden security and make communications even more efficient.
Read more about these improvements here.

CVE or Ref. NumberDescriptionVersions AffectedStatus
CVE-2022-26082
CVE-2022-26303
CVE-2022-26043
CVE-2022-26077
CVE-2022-26026
CVE-2022-26067
CVE-2022-27169

A vulnerability was reported in the OAS Engine API calls of Open Automation Software OAS Platform V16.00.0112.

Recommendations:
Upgrade your server to v17.
For prior versions, ensure the Default security Group is disabled and access to the OAS platform features are limited by assigning only necessary rights to additional security groups and users

Versions prior to v17Corrected in v17
CVE-2022-26833

A vulnerability was reported in the OAS Engine REST API calls of Open Automation Software OAS Platform V16.00.0112.

Recommendations:
Upgrade your server to v17.
For prior versions, ensure the Default security Group is disabled and access to the OAS platform features are limited by assigning only necessary rights to additional security groups and users.
This vulnerability only exists when security is not enabled on the OAS server. As always, with Web HMI and REST API implementations, always enable SSL on unsecured networks.

Versions prior to v17

Corrected in v17

CVE-2023-31242
CVE-2023-34998
CVE-2023-34353

Network-based authentication vulnerabilities identified.

Recommendations:
Issue resolved in v19.00.0000. Authentication calls and packets have been further secured. Upgrade to v19 or later.

v18.00.0072Corrected in v19
CVE-2023-32615
CVE-2023-34994

OAS service is granted file system access with elevated permissions.

Recommendations:
Issue resolved in v19.00.0000. OAS access to file system is now limited to installation directories. Upgrade to v19 or later.

v18.00.0072Corrected in v19
CVE-2023-34317
CVE-2023-32271
CVE-2023-35124

Additional validation required on network update calls for configuration data.

Recommendations:
Issue resolved in v19.00.0000. Configuration calls and packets have been further secured. Upgrade to v19 or later.

v18.00.0072Corrected in v19