SB2019021319 - Multiple vulnerabilities in Azure IoT Java SDK
Published: February 13, 2019
Security Bulletin ID
SB2019021319
Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Adjecent network
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2019-0741)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists in the way Azure IoT Java SDK logs sensitive information. A local user can gain unauthorized access to sensitive information and compromise the affected device.
2) Cryptographic issues (CVE-ID: CVE-2019-0729)
The vulnerability allows a remote attacker to elevate privileges on the device.
The vulnerability exists due to Azure IoT Java SDK generates predictable symmetric keys for encryption. An attacker can derive the keys from the way they are generated and use them to access a user's IoT hub.
Remediation
Install update from vendor's website.