Multiple vulnerabilities in AVEVA PI Server
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2023-34348 CVE-2023-31274 |
| CWE-ID | CWE-703 CWE-772 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
PI Server Server applications / Other server solutions |
| Vendor | AVEVA Software, LLC. |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Improper Check or Handling of Exceptional Conditions
EUVDB-ID: #VU85606
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-34348
CWE-ID:
CWE-703 - Improper Check or Handling of Exceptional Conditions
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper check or handling of exceptional conditions. A remote attacker can crash the PI Message Subsystem of a PI Server and cause a denial of service condition.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPI Server: 2018 SP3 P05 - 2023
External linkshttp://www.cisa.gov/news-events/ics-advisories/icsa-24-018-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Missing Release of Resource after Effective Lifetime
EUVDB-ID: #VU85607
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-31274
CWE-ID:
CWE-772 - Missing Release of Resource after Effective Lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to missing release of resource after rffective lifetime. A remote attacker can cause the PI Message Subsystem of a PI Server to consume available memory and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPI Server: 2018 SP3 P05 - 2023
External linkshttp://www.cisa.gov/news-events/ics-advisories/icsa-24-018-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
