Tridium released updates for the Niagara AX & N4 platforms this week that patch security vulnerabilities, including critical JVM vulnerabilities. Without mention which versions of AX/N4 are effected, one can only assume all prior versions. When asked for more details, Tridium said Windows based hosts are at the highest risk and they are not aware of active exploits in the wild currently. That being the case, at a minimum all Windows based supervisors and soft Jaces should be patched as soon as possible.
This brings AX to version 3.8.401 and N4 to version 220.127.116.11.1. Vykon branded platforms have this available now, third party channels will lag behind to vary degrees. Unfortunately without any further details, there is no mitigations other than patching. If your channel is behind the current release version, waiting or switching brands is the only option. If this is the case, please help move the industry forward and make your concerns known to the vendor. Customers shouldn’t have to wait months for critical security updates.
Another update may be forthcoming shortly.
Official ICS-CERT announcement. Disabled accounts seem to be central to this bug which may allow for remote code execution. The CVE links seem dead as of today.
Scanning on the open internet for exposed Tridium system increases.
Coincidence, I think not. If you must expose your system to the internet, its past time to update.