Security Advisories and Security Related Updates

Owned by Aaron Osburn
Last updated: Dec 28, 2023 by Emma Fullilove (Deactivated)
4 min read

Security updates to AUTOSOL software are detailed on this page.

Known Security Vulnerabilities:

The following table lists the known security vulnerabilities in AUTOSOL software. More details about each can be found below under “Advisories and Updates”

Product

Version

Vulnerability

Addressed in

Product

Version

Vulnerability

Addressed in

ACM

9.1

OPC UA Standard Stack ( CVE-2023-27321 and CVE-2023-31048)

ACM 9.1.1*

ACM

9.0.1

OPC UA Standard Stack (CVE-2022-33916)

ACM 9.1*

ACM

9.0

OPC UA Standard Stack (CVE-2022-29862 through CVE-2022-29866)

ACM 9.0.1*

* Contact AUTOSOL support to discuss other upgrade options to mitigate this issue.

There are currently no known security vulnerabilities within eACM.

AUTOSOL recommends upgrading to the newest release of our software.

Advisories and Updates

This latest version of AUTOSOL Communication Manager (ACM) 9.1.1 integrates the OPC UA .NET Standard Stack Version 1.4.371.96 from the OPC Foundation.

 This fixes the following vulnerabilities:

These vulnerabilities are fixed in the ACM versions shown here:

  • ACM 9.1.1 and later

Affected Products:

AUTOSOL ACM 9.0, ACM 9.0.1, ACM 9.1

Alternative Mitigation:

  • Disable the OPC UA service via ACM Monitor.

  • Contact AUTOSOL support to discuss modular upgrade options to mitigate this issue.

This latest version of AUTOSOL Communication Manager (ACM) 9.1 integrates the OPC UA .NET Standard Stack Version 1.4.370.12 from the OPC Foundation.

 This fixes the following vulnerabilities:

These vulnerabilities are fixed in the ACM versions shown here:

  • ACM 9.1 and later

Affected Products:

AUTOSOL ACM 9.0, ACM 9.0.1

Alternative Mitigation:

  • Disable the OPC UA service via ACM Monitor.

  • Contact AUTOSOL support to discuss modular upgrade options to mitigate this issue.

ACM Update for Emerson FloBoss 107TM with firmware version 2.0

We now have an updated version of the ROC protocol for ACM 9.0.1 and later that will support the firmware upgrade of the following devices:

  1. Emerson FloBossTM 107 to firmware version 2.0

  2. Emerson ROC 800L to version 1.70

  3. Emerson ROC 800 to version 3.90

 

If you have already upgraded the firmware for the Emerson FloBossTM 107 to version 2.0 and are unable to retrieve history this update will correct that.  Please contact your sales representative or AUTOSOL Customer Support to gain access to this fix.

 

Explanation

In November 2022, Emerson released new firmware for the Emerson FloBossTM 107 (version 2.0), Emerson ROC 800L (version 1.70) and Emerson ROC 800 (version 3.90).  In the new firmware for the Emerson ROC FloBoss 107s, point types 6, 7, 10, 41 & 42 were removed due to storage constraints in the device, and because their data was duplicated elsewhere.  ACM 9.0.1 and earlier are not compatible with this change.

Enabling security in the Emerson FloBossTM 107 , Emerson ROC 800s or ROC 800Ls in ACM

This support will formally be released in ACM 9.1 but if you wish to upgrade your firmware today and enable the security, AUTOSOL can provide a beta version of the new feature that makes use of the new security requirements.  The beta version will only work in 9.0 and later, and will be formally released in ACM 9.1 late spring/early summer 2023.  If this is something you are interested in, please contact your sales representative or AUTOSOL Customer Support.

ACM 9.0.1 and earlier cannot retrieve history or meter configuration data from an Emerson FloBoss 107 with firmware version 2.0. 

Explanation

In November 2022, Emerson released new firmware for the Emerson FloBossTM 107 (ver. 2.0), Emerson ROC 800L (ver. 1.70) and Emerson ROC 800 (ver. 3.90).  In the new firmware for the Emerson ROC FloBoss 107s, point types 6, 7, 10, 41 & 42 were removed due to storage constraints in the device, and because their data was duplicated elsewhere.  Current ACM releases rely on these point types and as a result, cannot retrieve meter configuration data or history from the Emerson ROC FloBoss 107.

What is being done about it

AUTOSOL is working on a solution.  When it is complete, AUTOSOL will provide hotfixes for all supported versions of ACM.

If you require assistance or additional information regarding the updated Emerson Firmware, please contact Emerson Support.

What about the Emerson ROC 800 and firmware version 1.70

You can upgrade your ROC 800s to firmware version 1.70 today and ACM will continue to work as normal as long as you have the security disabled in the device.

What if you want to enable security in the Emerson ROC 800s or ROC 800Ls and use ACM

If you wish to use ACM and enable the security, AUTOSOL can provide a beta version of the new feature that makes use of the new security requirements.  The new feature for the Emerson ROC 800s and 800Ls will only work in 9.0 and later, and will be formally released in ACM 9.1 late spring 2023.  If this is something you are interested in, please contact your sales representative or AUTOSOL Customer Support.

We will provide updates to this issue on this page.

Security Update for the OPC UA .NET Standard Stack Version 1.0 and Version 1.1

  • CVE-2022-29862 through CVE-2022-29866

  • CVSS 3.0 Base Score: 6.5 Medium - 7.5 High

Summary:

This latest version of AUTOSOL Communication Manager (ACM) 9.0.1 integrates the OPC UA .NET Standard Stack Version 1.4.369.30 from the OPC Foundation.

 This fixes the following vulnerabilities:

These vulnerabilities are fixed in the ACM versions shown here:

  • ACM 9.0.1 and later

Affected Products:

AUTOSOL ACM 9.0

Alternative Mitigation:

  • Disable the OPC UA service via ACM Monitor.

  • Contact AUTOSOL support to discuss modular upgrade options to mitigate this issue.

AUTOSOL Logo

16055 Space Center Boulevard, Suite 450

Houston, Texas 77062

281.286.6017

All information contained herein is considered proprietary. Any unauthorized disclosure or use is prohibited.