CVE-2020-9044

Summary

XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1.

Affected Software

VendorProductVersion RangeStatus
Johnson ControlsMetasys Application and Data Server (ADS, ADS-Lite)versions 10.1 and prioraffected
Johnson ControlsMetasys Extended Application and Data Server (ADX)versions 10.1 and prioraffected
Johnson ControlsMetasys Open Data Server (ODS)versions 10.1 and prioraffected
Johnson ControlsMetasys Open Application Server (OAS)version 10.1affected
Johnson ControlsMetasys Network Automation Engine (NAE55 only)versions 9.0.1affected
Johnson ControlsMetasys Network Automation Engine (NAE55 only)9.0.2affected
Johnson ControlsMetasys Network Automation Engine (NAE55 only)9.0.3affected
Johnson ControlsMetasys Network Automation Engine (NAE55 only)9.0.5affected
Johnson ControlsMetasys Network Automation Engine (NAE55 only)9.0.6affected
Johnson ControlsMetasys Network Integration Engine (NIE55/NIE59)versions 9.0.1affected
Johnson ControlsMetasys Network Integration Engine (NIE55/NIE59)9.0.2affected
Johnson ControlsMetasys Network Integration Engine (NIE55/NIE59)9.0.3affected
Johnson ControlsMetasys Network Integration Engine (NIE55/NIE59)9.0.5affected
Johnson ControlsMetasys Network Integration Engine (NIE55/NIE59)9.0.6affected
Johnson ControlsMetasys NAE85 and NIE85versions 10.1 and prioraffected
Johnson ControlsMetasys LonWorks Control Server (LCS)versions 10.1 and prioraffected
Johnson ControlsMetasys System Configuration Tool (SCT)versions 13.2 and prioraffected
Johnson ControlsMetasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed)version 8.1affected

Weaknesses

  • CWE-611: CWE-611 - Information Leak Through XML External Entity File Disclosure

ADP Enrichment

CVE Program Container

Additional References

References