Deserialization of untrusted data in OSIsoft PI Data Archive

#VU11112 Deserialization of untrusted data in OSIsoft PI Data Archive

Published: 2018-03-15

Vulnerability identifier: #VU11112

Vulnerability risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-7529

CWE-ID: CWE-502

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OSIsoft PI Data Archive
Server applications / Database software

Vendor: OSIsoft

Description
The vulnerability allows a remote attacker can cause DoS condition on the target system.

The weakness exists due to deserialization of untrusted data. A remote attacker can modify deserialized data, send specially crafted custom requests and cause the server to crash.

Mitigation
Update to version 2017 R2.

Vulnerable software versions

OSIsoft PI Data Archive: All versions

External links
http://techsupport.osisoft.com/Troubleshooting/Alerts/AL00339

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in OSIsoft PI Data Archive