CVE-2020-9044
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Johnson Controls | Metasys Application and Data Server (ADS, ADS-Lite) | versions 10.1 and prior | affected |
| Johnson Controls | Metasys Extended Application and Data Server (ADX) | versions 10.1 and prior | affected |
| Johnson Controls | Metasys Open Data Server (ODS) | versions 10.1 and prior | affected |
| Johnson Controls | Metasys Open Application Server (OAS) | version 10.1 | affected |
| Johnson Controls | Metasys Network Automation Engine (NAE55 only) | versions 9.0.1 | affected |
| Johnson Controls | Metasys Network Automation Engine (NAE55 only) | 9.0.2 | affected |
| Johnson Controls | Metasys Network Automation Engine (NAE55 only) | 9.0.3 | affected |
| Johnson Controls | Metasys Network Automation Engine (NAE55 only) | 9.0.5 | affected |
| Johnson Controls | Metasys Network Automation Engine (NAE55 only) | 9.0.6 | affected |
| Johnson Controls | Metasys Network Integration Engine (NIE55/NIE59) | versions 9.0.1 | affected |
| Johnson Controls | Metasys Network Integration Engine (NIE55/NIE59) | 9.0.2 | affected |
| Johnson Controls | Metasys Network Integration Engine (NIE55/NIE59) | 9.0.3 | affected |
| Johnson Controls | Metasys Network Integration Engine (NIE55/NIE59) | 9.0.5 | affected |
| Johnson Controls | Metasys Network Integration Engine (NIE55/NIE59) | 9.0.6 | affected |
| Johnson Controls | Metasys NAE85 and NIE85 | versions 10.1 and prior | affected |
| Johnson Controls | Metasys LonWorks Control Server (LCS) | versions 10.1 and prior | affected |
| Johnson Controls | Metasys System Configuration Tool (SCT) | versions 13.2 and prior | affected |
| Johnson Controls | Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) | version 8.1 | affected |
Weaknesses
- CWE-611: CWE-611 - Information Leak Through XML External Entity File Disclosure
ADP Enrichment
CVE Program Container
Additional References
- https://www.johnsoncontrols.com/cyber-solutions/security-advisories
- https://www.us-cert.gov/ics/advisories/icsa-20-070-05
References
- https://www.johnsoncontrols.com/cyber-solutions/security-advisories
- https://www.us-cert.gov/ics/advisories/icsa-20-070-05
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.