Loading

PN1598 | CVE 2022-1096 Chromium Type Confusion Vulnerability Impact Multiple Products

Severity:
Medium
Advisory ID:
PN1598
发布日期:
August 26, 2022
上次更新时间:
August 26, 2022
Revision Number:
1.1
Known Exploited Vulnerability (KEV):
否
Corrected:
否
Workaround:
否
CVE IDs
CVE-2022-1096
摘要
CVE 2022-1096 Chromium Type Confusion Vulnerability Impact Multiple Products

Reference
CVE 2022-1096
Revision History
Revision Number
1.1
Revision History
Version 1.0 – July 12, 2022
Version 1.1 – August 26, 2022 Updated FT View Site Edition Mitigation Instructions

Executive Summary

Rockwell Automation is aware of multiple products that use the Chromium web browser and are affected by CVE 2022-1096, which is a zero day type confusion vulnerability. Exploitation of this vulnerability could potentially lead to a low impact to the availability of the targeted device. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Customers using the products in scope are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerabilities including recommended countermeasures, are provided.

Affected Products

Product in Scope Vulnerable Component
FactoryTalk® Linx Enterprise software
v6.20, 6.21, and 6.30
V6.21 CefSharp v73.1.130 (EIPCACT feature)
V6.30 CefSharp v91.1.230 (EIPCACT feature)
v6.20 CefSharp v73.1.130 (Device Config feature)
v6.21 CefSharp v73.1.130 (Device Config feature
v6.30 CefSharp v73.1.130 (Device Config feature
Enhanced HIM (eHIM) for PowerFlex® 6000T drives v1.001
Electron v4.2.12
Connected Components Workbench™ software v11, 12,13 & 20 Note: Drives Trending 1.00.00 and 2.00.00 uses Connected Components Workbench Cefsharp V81.3.100
FactoryTalk Link Gateway software v6.21 and v6.30  v6.21 CefSharp v73.1.130
 v6.30 CefSharp v91.1.230
FactoryTalk View Site Edition software v.13.0 WebView2 v96.0.1054.43

Vulnerability Details

Rockwell Automation has been made aware of a third-party vulnerability that is present in multiple vendor components, which our products use. Due to the way Rockwell Automation uses the Chromium web browser, exploitation of this vulnerability may cause the vulnerable products to become unavailable temporarily. As a result, we adjusted the CVSS Score to reflect how this vulnerability affects our products.

CVE 2022-1096 Chromium Web Browser Type Confusion Vulnerability
CVSS Base Score: 4.0 /10 (Medium)
CVSS 3.1 Vector String:  CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Risk Mitigation & User Action

Rockwell Automation is in the process of testing and validating the patch and will update this advisory for each product as updated firmware becomes available.

For customers using the FactoryTalk View Site Edition follow the recommended actions to address the vulnerability:
  • Do not use the FactoryTalk View SE web browser control if it is not required for the intended use of the product.
  • Customers utilizing the SE Web Browser can manually download and apply the newer version of WebView2 by using the following directions:
    • Replace the Microsoft® msedgewebview2.exe file that is saved in the C:Program Files (x86)Rockwell SoftwareRSView EnterpriseMicrosoft.WebView2.FixedVersionRuntime by copying and pasting the new version of the software into the folder.
    • DO NOT remove the contents of the folder before pasting the new file.

For customers using the Enhanced HIM (eHIM) for Power Flex 6000T drives follow the recommended actions to address the vulnerability:
  • Update the Microsoft Edge browser to Version 99.0.1150 or later. Additionally, apply the update for eHIM when it becomes available to mitigate the vulnerability.
If applying the mitigations, noted above, is not possible please see our Knowledgebase article, QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

References

  • CVE-2022-1096 - Security Update Guide - Microsoft - Chromium: CVE-2022-1096 Type Confusion in V8
  • ICSA-22-209-01 Advisory

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Rockwell Automation 主页
  2. Chevron LeftChevron Left Trust Center
  3. Chevron LeftChevron Left Industrial Security Adv
  4. Chevron LeftChevron Left Industrial Security Advisory Detail
请更新您的Cookies偏好以继续.
此功能需要Cookies来增强您的体验。请更新您的系统偏好以允许使用这些Cookies:
  • 社交媒体Cookies
  • 功能Cookies
  • 性能 Cookies
  • 市场营销Cookies
  • 所有Cookies
您可以随时更新您的系统偏好。如需了解更多信息,请参阅我们的 {0} 隐私政策
CloseClose