#VU62369 Incomplete cleanup in Johnson Controls products - CVE-2021-36205

Cybersecurity Help s.r.o.

Published: 2022-04-19

Vulnerability identifier: #VU62369

Vulnerability risk: High

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2021-36205

CWE-ID: CWE-459

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Metasys ADS
Server applications / Application servers
Metasys ADX
Server applications / Application servers
Metasys Open Application Server (OAS)
Server applications / Other server solutions

Vendor: Johnson Controls

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the session token is not cleared upon log out. A remote attacker can use a session token that has not been cleared upon log out of an authenticated user.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Metasys ADS: 10 - 11

Metasys ADX: 10 - 11

Metasys Open Application Server (OAS): 10 - 11

External links
https://www.cisa.gov/uscert/ics/advisories/icsa-22-104-02
https://www.johnsoncontrols.com/cyber-solutions/security-advisories

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Johnson Controls Metasys ADS/ADX/OAS Servers