CVE-2020-9044
Last modified
CVE-2020-9044 is a critical-severity vulnerability rated 9.1/10 on the CVSS scale. XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1.. EPSS estimates a 1.29% chance of exploitation in the next 30 days.
Description
XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Johnsoncontrols | Metasys Application And Data Server | <= 10.1 |
| Johnsoncontrols | Metasys Extended Application And Data Server | <= 10.1 |
| Johnsoncontrols | Metasys Lonworks Control Server | <= 10.1 |
| Johnsoncontrols | Metasys Open Application Server | 10.1 |
| Johnsoncontrols | Metasys Open Data Server | <= 10.1 |
| Johnsoncontrols | Metasys System Configuration Tool | <= 13.2 |
| Johnsoncontrols | Nae55 Firmware | 9.0.1 |
| Johnsoncontrols | Nae55 Firmware | 9.0.2 |
| Johnsoncontrols | Nae55 Firmware | 9.0.3 |
| Johnsoncontrols | Nae55 Firmware | 9.0.5 |
| Johnsoncontrols | Nae55 Firmware | 9.0.6 |
| Johnsoncontrols | Nie55 Firmware | 9.0.1 |
| Johnsoncontrols | Nie55 Firmware | 9.0.2 |
| Johnsoncontrols | Nie55 Firmware | 9.0.3 |
| Johnsoncontrols | Nie55 Firmware | 9.0.5 |
| Johnsoncontrols | Nie55 Firmware | 9.0.6 |
| Johnsoncontrols | Nie59 Firmware | 9.0.1 |
| Johnsoncontrols | Nie59 Firmware | 9.0.2 |
| Johnsoncontrols | Nie59 Firmware | 9.0.3 |
| Johnsoncontrols | Nie59 Firmware | 9.0.5 |
| Johnsoncontrols | Nie59 Firmware | 9.0.6 |
| Johnsoncontrols | Nae85 Firmware | <= 10.1 |
| Johnsoncontrols | Nie85 Firmware | <= 10.1 |
| Johnsoncontrols | Nae55 Firmware | 8.1 |
| Johnsoncontrols | Ul 864 Uukl Firmware | 8.1 |
| Johnsoncontrols | Ord-C100-13 Uuklc Firmware | 8.1 |
References
- https://www.us-cert.gov/ics/advisories/icsa-20-070-05Third Party Advisory, US Government Resource
- https://www.us-cert.gov/ics/advisories/icsa-20-070-05Third Party Advisory, US Government Resource
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-9044?
How severe is CVE-2020-9044?
How do I fix CVE-2020-9044?
Are you affected by CVE-2020-9044?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST