#VU62832 Unverified Password Change


Published: 2022-05-06

Vulnerability identifier: #VU62832

Vulnerability risk: Medium

CVSSv3.1: 7 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-21934

CWE-ID: CWE-620

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Metasys ADS
Server applications / Application servers
Metasys ADX
Server applications / Application servers
Metasys Open Application Server (OAS)
Server applications / Other server solutions

Vendor: Johnson Controls

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to unverified password change issue. A remote user on the local network can lock other users out of the system and take over accounts.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Metasys ADS: 10 - 11

Metasys ADX: 10 - 11

Metasys Open Application Server (OAS): 10 - 11


CPE

External links
http://ics-cert.us-cert.gov/advisories/icsa-22-125-01
http://www.johnsoncontrols.com/-/media/jci/cyber-solutions/product-security-advisories/2022/jci-psa-2022-09.pdf?la=en&hash=CDBC2D715E982A79F3A11C86819CF4766F047274


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability