CVE-2023-4486

Uncontrolled Resource Consumption in Metasys and Facility Explorer

Description

Under certain circumstances, invalid authentication credentials could be sent to the login endpoint of Johnson Controls Metasys NAE55, SNE, and SNC engines prior to versions 11.0.6 and 12.0.4 and Facility Explorer F4-SNC engines prior to versions 11.0.6 and 12.0.4 to cause denial-of-service.

Remediation

Solution:

Update Metasys NAE55, SNE, and SNC engines to version 12.0.4.
Update Metasys NAE55, SNE, and SNC engines to version 11.0.6.
Update Facility Explorer F4-SNC engine to version 12.0.4.
Update Facility Explorer F4-SNC engine to version 11.0.6.
For more information, contact your local Johnson Controls office or Authorized Building Control Specialists (ABCS).

References

Link	Tags
https://www.johnsoncontrols.com/cyber-solutions/security-advisories	vendor advisory
https://www.cisa.gov/news-events/ics-advisories/icsa-23-341-03	us government resource third party advisory

Frequently Asked Questions

What is the severity of CVE-2023-4486?: CVE-2023-4486 has been scored as a high severity vulnerability.
How to fix CVE-2023-4486?: To fix CVE-2023-4486: Update Metasys NAE55, SNE, and SNC engines to version 12.0.4.
Is CVE-2023-4486 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2023-4486 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-4486?: CVE-2023-4486 affects Johnson Controls Metasys NAE55/SNE/SNC, Johnson Controls Facility Explorer F4-SNC.

Description

Remediation

Categories

CWE-400 – Uncontrolled Resource Consumption

CWE-770 – Allocation of Resources Without Limits or Throttling

References

Frequently Asked Questions