Security Bulletin# SB 2019-Tridium-1 | |
CVSS v3.0 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/i:H/A:H) |
|
Defect# NCCB-39792 |
Summary
A vulnerability was discovered in Chromium (CVE-2019-5786) that allows for code execution while rendering using the FileReader API. Chromium is a core component used for rendering HTML pages in Workbench using jxBrowser. Niagara-supported releases that are impacted by this vulnerability are Niagara 4.4u2, Niagara 4.6, and Niagara 4.7.
Reports of exploits of Chromium have been reported as targeting Windows 7, 32-bit platforms; however, exploits on other platforms may also occur.
We have updated Chromium (via an update to jxBrowser) to remove the vulnerability and recommend that users update to the versions identified below.
Recommended Action
Tridium has released new updates that mitigate this vulnerability.
| Product | Update Version | Release Notes |
|---|---|---|
| Niagara 4.4U3 | 4.4.94.14 | See below |
| Niagara 4.7u1 | 4.7.110.32 | See below |
Current users of Niagara 4.6 are encouraged to update to Niagara 4.7u1. It is important that all Niagara customers for all supported platforms update their systems with these releases to mitigate risk.
Mitigation
In addition to updating your system, Tridium recommends that customers with affected products take the following protective steps:
- Review and validate the list of users who are authorized and who can authenticate to Niagara.
- Allow only trained and trusted persons to have physical access to the system, including devices that have connection to the system though the Ethernet port.
- If remote connections to the network are required, consider using a VPN or other means to ensure secure remote connections into the network where the system is located.
Cybersecurity is a priority at Tridium. We are dedicated to continuously improving the security of our products, and we will continue to update you as we release new security features, enhancements, and updates.
Appendix: About CVSS
The Common Vulnerability Scoring System (CVSS) is an open standard for communicating the characteristics and severity of software vulnerabilities. The Base score represents the intrinsic qualities of a vulnerability. The Temporal score reflects the characteristics of a vulnerability that change over time. The Environmental score is an additional score that can be used by CVSS, but is not supplied as it will differ for each customer. The Base score has a value ranging from 0 to 10. The Temporal score has the same range and is a modification of the Base score due to current temporary factors. The severity of the score can be summarized as follows:
Severity Rating | CVSS Score |
None | 0.0 |
Low | 0.1 - 3.9 |
Medium | 4.0 - 6.9 |
High | 7.0 -8.9 |
Critical | 9.0 - 10.0 |
A CVSS score is also represented as a vector string, a compressed textual representation of the values used to derive the score.
Detailed information about CVSS can be found at http://www.first.org/cvss.
If you would like to download the latest software, you can do so by visiting either Niagara Central or by using the Activelogix FTP Server. If you have forgotten the information for the Activelogix FTP server, please feel free to reach out to our Technical Support group at techsupport@activelogix.com
Issues fixed in Niagara 4.4u3 - 4.4.94.14
Issue Key | Module | Issue Summary | Release Note |
| NCCB-33627 | alarm | Alarm Database Time does not match Alarm Db View time due to TimeZone differences | In earlier versions of Niagara, the Alarm Database View displayed timestamps in the timezone of the web browser (without noting which timezone was being used). This would make it appear as though the alarms had different times than those in the bajaui based versions of those views. The Alarm Database views now display timestamps in the TimeZone of the Alarm (based on the alarmData TimeZone facet). Additionally, these views now also use the display name for Alarm Classes. |
| NCCB-34784 | alarm | AlarmUxConsole does not update on Offnormal/Acked to Normal/Acked | The AlarmUxConsole would fail to remove alarms that transitioned from Offnormal-Acked to Normal-Acked. This has been corrected. |
| NCCB-34807 | alarm | Adding notes in UxAlarmConsole can cause incorrect alarm to display | Adding notes to older alarms records could cause an older alarm to show in the AlarmUxConsoles summary view instead of the most recent alarm from that source. This has been corrected. |
| NCCB-39084 | alarm | Alarm Database Views do not localize Source &Ack States | The Source State, Ack State, and Alarm Transition columns in the Alarm Database Maintenance view were not correctly localized to the user's language. They will now be correctly translated. |
| NCCB-34187 | bacnet | BACnet trend log import descriptor time zone is not persistent through station restart | Time zone property on the descriptor is persistent once set by a user. |
| NCCB-37017 | bacnet | Output_Units and Controlled_Variable_Units properties are readonly in the UI | Editing the mentioned properties of the following object from Niagara B-AWS profile will lead to a corresponding Write Property request being sent to the controller on which the change was made: 1) Loop Object: Output_Units, Controlled_Variable_Units. 2) Analog Input: Units, Max_Pres_Value. 3) Accumulator Object, Units, Max_Pres_Value. 4) Pulse Converter Object, Units, Adjust_Value. |
| NCCB-38893 | bacnetAws | Read Property for Unsupported properties should return Unknown Property. | Read Property for Unsupported properties on AWS Device will return an error with Error Class: Property and Error Code: Unknown Property. |
| NCCB-39009 | bacnetAws | Supervisor should not respond to Backup and Restore related properties. | The following properties will not be readable for the B-AWS profile. * Configuration_Files * Last_Restore_Time * Backup_Failure_Timeout * Backup_Preparation_Time * Restore_Preparation_Time * Restore_Completion_Time * Backup_And_Restore_State |
| NCCB-38480 | history | History can force expensive resize operation if not properly closed, delaying station restarts | Prior to this fix, if a station was not shutdown gracefully (e.g. using station kill or power loss), upon the next station restart, it was possible for histories with a full policy set to roll to have to perform an expensive resize operation in order to stay at the configured capacity. Since this could affect multiple histories, station startup was delayed waiting for these expensive resize operations to complete. This has now been resolved, so that the histories can more efficiently trim themselves under such conditions and free up the station startup process to run quicker. |
| NCCB-27406 | hx | Hx: Chart title is truncated in AX History chart view | Resolved issue causing Chart title to be truncated in AX History Chart. |
| NCCB-36114 | hx | Value Binding in Hx TabbedPane now prevents entire HxPx page from loading | If you have a TabbedPane with ValueBindings on it, the HxPx page of that view stops rendering in Niagara 4.4R. This has been corrected. |
| NCCB-35060 | jxBrowser, wbapplet | JxBrowser incorrectly shares data directory with other VMs and can cause local storage corruption | If WebStart was launched after Workbench, it would often fail to find a lock file for JxBrowser's data directory and re-use the one in use by Workbench causing corruption. This has been resolved and WebStart will no longer attempt to use Workbench's JxBrowser data directory. |
| NCCB-39792 | jxBrowser | Chromium Vulnerability CVE-2019-5786 | JxBrowser has updated to 6.23.1 due to CVE-2019-5786 and provided a fix in Chrome 69.0.3497.12. Users are encouraged to update to a Niagara version with this fix to prevent being affected by this severe vulnerability. |
| NCCB-37369 | niagarad (Java), platCrypto | Platform Certificate Management "User Trust Store" generates too many Niagara Daemon "crypto" servlet requests. | The User Trust Store view of the platform Certificate Management was making excessive requests to the platform and causing the requests to be mishandled, leading to error messages in the Workbench console. The number of requests has been greatly reduced to minimize the chance of errors occurring. |
| NCCB-37629 | niagarad (Java), platDaemon | Investigate and backport NCCB-37335 to 4.4 update build | Versions prior to Niagara 4.4U3 could exhibit the following Niagara Daemon error message during Niagara Provisioning jobs that interacted with the "/applist" servlet: |
| NCCB-33926 | platSerial | Backport to 4.4. Niagara QNX Binaries are compiled with FD_SETSIZE=4096 | Prior to this release a serial based Niagara driver could fail to open properly when added after 4000 histories and / or alarms were created. This has been corrected. Open the serial driver before creating the histories / alarms, such as at Niagara Station start, to workaround this behavior |
| NCCB-35506 | rdbMySQL | SqlScheme resolver disallows character-quoting, throws exception | SqlScheme now allows character quoting using backtick ( ` ). MySql table names containing a hyphen ( - ) must be character quoted as per MySql Specifications. |
| NCCB-35768 | saml | SAMLAuthenticationScheme ignores all but last prototype attribute | Fixed an issue where the SAML authentication scheme was incorrectly ignoring user prototype attributes from the Identity Provider when multiple values were being returned. The SAML authentication scheme now considers all returned values, and picks the first baja:UserPrototype in the UserPrototypes folder that matches any of these values. This matches the behaviour of the LDAP and Kerberos authentication schemes. |
| NCCB-35769 | saml | Station must be set to UTC timezone or IdP rejects SAML messages as expired | Fixed an issue where stations using a SAMLAuthenticationScheme had to be set to the UTC timezone when used with certain Identity Providers. |
| NCCB-39167 | saml | SAMLAuthenticationScheme cannot handle signed response with EncryptedAssertion | Previously, SAML authentication would fail when the IDP sends responses with encrypted assertions and message-level signatures. This has been corrected. |
| NCCB-35159 | tagDictionary | Tag groups no longer copied along with component | In version 4.3, the endpoint ord of a tag group relation was changed from a slot path to a handle ord. While this changes allows a tag dictionary to be renamed without breaking the tag group relation, it prevents tag groups from being copied along with the components on which the tag groups are applied. Therefore, the use of a slot path ord has been resumed and tag groups will now be copied correctly. These slot path ords are corrected when relevant renames occur. |
| NCCB-36209 | wbapplet, web | Loading WebWidget in Webstart can show re-login and cause module download corruption | Previously, when loading a WebWidget in Webstart for the first time in a session, it might sometimes show the login page instead of your web widget. If this happened or if the WebService was restarted during your connection, any new module or lexicon resources were downloaded and stored incorrectly. This has been corrected. If you suspect your module resources have been corrupted, make sure to delete this directory so the modules can be downloaded corrected: C:\Users\AppData\Local\niagara\n4applet\_ |
| NCCB-32850 | webEditors | Setpoint field editors widths shrunk on customer's station after upgrade to 4.4 | Resolved issue with set point field editors on PX pages truncating the editor when there's not enough space to display the Numeric Set Point and Generic field editors and the post label. |
| NCCB-37564 | wiresheet | Wiresheet will not load if two components share more than one link and the source slot of one link is hidden | Previously if a wiresheet wire was hidden, it would cause a NullPointerException to be thrown if the wiresheet was displayed. This has been fixed so that the exception is no longer thrown, and the connecting wire is simply not displayed. |
Issues fixed in Niagara 4.7u1 - 4.7.110.32
| Issue Key | Module | Summary | Release Note |
|---|---|---|---|
| HAREMB-507 | JACE-8000 defaults to factory recovery even if USB backup is present | If a user holds the backup/restore button during boot, and has a USB device mounted into the front panel USB backup/restore port, and the user does not register a keystoke via the serial terminal connection to indicate a restore is desired, previously the unit would have automatically entered the recovery process. With this release, the recovery/restore process will be aborted and the unit will continue with normal boot. If recovery is desired, no USB device can be mounted into the backup/restore port. | |
| NCCB-32994 | alarm | % symbol in point facets causes errors for sms and email alarm recipients | BFormat fields are now handled properly in the alarm recipient message body, which allows '%' symbols to be used in values that are sent to an alarm such as when the units of a numeric value are percent. |
| NCCB-38896 | alarm | AlarmSourceExt AckedTransitions ToNormal bit not set when an alarm is active | When the most recent alarm to change to a Normal state is acknowledged, the AckedTransitions property ToNormal bit will now be set, even if the point is currently in an alarm state. |
| NCCB-37344 | bacnet | Bacnet Network does not initialize properly when installed via Application Template | Some BACnet point references and other types of references were non-functional after an application template installation, requiring a station restart to reset the references. This has been corrected. |
| NCCB-38226 | bacnet | BACnet Confirmed Request max-APDU-length-accepted bit flags off-by-one | updated getMaxAPDULengthCode() to correct corner cases where we were out of bacnet spec section 20.1.2.5 |
| NCCB-39192 | bacnet | Present Value is set to default value when schedule goes out of effective period | The present value will be retained when even schedule becomes ineffective. It will not revert back to 'Schedule Default'. |
| NCCB-39301 | bacnet | Multistate object gets automatically set to 0 when Out_Of_Service is TRUE | When Out_Of_Service flag is true, the value in Out_Of_Service extension is unaffected by the present value of the multi state point. |
| NCCB-39550 | bacnet | Not able to write NULL value to Schedule Default property | NULL can be written to 'schedule default' property of Numeric. Boolean, Multi state and Character string schedule types. |
| NCCB-39558 | bajaScript | HTML5 graphics not showing up in cross-site frame | The Html5HxProfile can now correctly show HTML files that reference another station's bajaux widgets without cross-origin errors. Please note that a separate login may be required. The other station's WebService's XFrameOptions must be lowered to "any" for this to work. |
| NCCB-37378 | bajaux | Bajaux BacnetDate editor throws error when using localized days of the week | The BacnetDate HTML5 field editor was incorrectly encoding the day of the week part using the user language configured. This has now been fixed so the BacnetDate HTML5 field editor will consistently encode and decode the day of the week. |
| NCCB-19575 | chart, history, hx | History Chart Builder embedded in a PX page fails in the browser | The AX History Chart Builder view will now correctly build charts when embedded in a Px page viewed in the browser. |
| NCCB-38480 | history | History can force expensive resize operation if not properly closed, delaying subsequent station startup | Prior to this fix, if a station was not shutdown gracefully (e.g. using station kill or power loss), upon the next station restart, it was possible for histories with a full policy set to "roll" to have to perform an expensive resize operation in order to stay at the configured capacity. Since this could affect multiple histories, station startup was delayed waiting for these expensive resize operations to complete. This has now been resolved, so that under such conditions histories can more efficiently trim themselves and there is a smaller impact on the station startup time. |
| NCCB-36114 | hx | Value Binding in Hx TabbedPane prevents entire HxPx page from loading | If you have a TabbedPane with ValueBindings on it, then the HxPx page of that view stopped rendering in Niagara 4.4. This has been corrected. |
| NCCB-39792 | jxBrowser | Security Fix for jxBrowser/Chrome in Workbench | A security fix was made in jxBrowser that addresses a vulnerability in Chrome (CVE-2019-5786). Workbench utilized jxBrowser for presenting web views in Workbench. The fix mitigates this vulnerability. |
| NCCB-36629 | niagaraVirtual | Backups in Slot Paths don't translate properly in on-demand Px Graphics for Niagara Virtuals | In cases where you had a subordinate station (e.g. JACE) reporting to a supervisor and you had enabled the on-demand Px Graphics for Niagara Virtuals, if the subordinate station contained Px graphics that utilized relative SlotPath ORD bindings with backups ("../"), when that graphic was subsequently translated/loaded in the supervisor upon accessing the Niagara virtual component, those backups would not be translated properly and the virtual ORD bindings in the Niagara Virtual Px graphic would not display properly. This was particularly frustrating when you used the 'Relativize Ords' command in the Px Editor (or in template creation), as it could automatically create backups in SlotPath ORD bindings, thus leading to this downstream problem. This defect has now been fixed so that these ORDs will properly translate and display in on-demand Niagara Virtual Px graphics (only requiring the supervisor station to be upgraded). |
| NCCB-40582 | platform | EDGE10 fails to change IP address via HxTcpIpPlatformServiceView when in daisy chain mode | Prior to platform-wb.jar 4.7.110.32.1, changes to the EDGE10 primary adapter through the Hx view would not be applied on save if the host was configured to use 'Daisy Chain' link settings. The HX behavior has now been corrected. As a workaround, use Workbench platform based TCP/IP Configuration View or Workbench station based TCP/IP Platform Service View to make the changes instead of the Hx View. |
| NCCB-40590 | platform | Jace-8000 platform configured with NTP logs AccessControlException on Station save | Previous versions of Niagara could show an AccessControlException during the Niagara Station save procedure if the NtpPlatformService was enabled on a QNX platform. This error does not impact the functionality of the service. This exception behavior has been corrected. |
| NCCB-39191 | rdb | Rdbms history export fails if the source HistoryConfig contains additional frozen slots | BHistoryConfig subclasses with additional frozen properties can now be used with RdbmsExport. |
| NCCB-39585 | rdbSqlServer | SqlServerDatabase does not support dynamic port discovery | Dynamic port discovery can now be enabled with SqlServerDatabase by setting the PortNumber property to 0 and adding "instanceName=databaseInstanceName;" to the ExtraConnectionProperties property. |
| NCCB-39167 | saml | SAMLAuthenticationScheme cannot handle signed response with EncryptedAssertion | Previously, SAML authentication would fail when the IDP sends responses with encrypted assertions and message-level signatures. This has been corrected. |
| NCCB-36113 | seriesTransform, webChart | Provide options to remove line gaps and remove hidden gaps by default | Web Chart now defaults to no longer creating a gap in the data when there is a hidden Trend Record, Null status, or non-finite value like +inf. If you prefer gaps to be shown, a new chart setting has been added to return the gaps to their previous behavior: just set "Show Data Gaps" to "Yes." By default, gaps from start flags will still be shown, but these can now be turned off by changing the chart setting "Show Start Trend Gaps" to "No." |
| NCCB-24007 | tagDictionary | NEQL search on inbound implied relation is not returning any results | Previously, an implied relation such as n:parent would handle its outbound relation and the inbound complementary relation, n:child in this example. This prevented NEQL searches using the inbound relation from returning all results without resorting to poorly performing workarounds. Now, the implied relation handles both the inbound and outbound versions of itself and now searches involving relations are accurate and perform well. |
| NCCB-36696 | template | Cannot have PX files outside of default location in application template | Application templates now preserve and install most types of files that are found in the station home directory. |
| NCCB-37377 | template | Webcharts are not loading on PX view after installing an application template | Application templates now preserve and install most types of files that are found in the station home directory. |
| NCCB-37934 | template | Deploying a template with input or output configurations may fail or leave connections unresolved | Corrected conditions that would sometimes prevent deploying a template with defined input connections due to IndexOutOfBoundsException. Note that templates currently restrict output link connections to only BControlPoint instances. If a different component type (a schedule, for example) is desired for the output link connection, connect it first to a control point of the appropriate type and tag the control point so the template bind hints will pick it up. |
| NCCB-38151 | template | Bulk Deploy fails input links | In some cases the Bulk Deploy process would not resolve template input slots declared in the Excel worksheet. The result could be undefined input links, which would show up in the Template Manager view on the station's Template Service. |
| NCCB-36209 | wbapplet, web | Loading WebWidget in Webstart can re-show login page and cause module download corruption | When loading a WebWidget in Webstart for the first time in a session, it may sometimes have shown the login page instead of your web widget. If this happens or the WebService is restarted during your connection, any new module or lexicon resources will be downloaded and stored incorrectly. This has been corrected. If you suspect your module resources have been corrupted, delete this directory so the modules can be re-downloaded correctly: C:\Users\\AppData\Local\niagara\n4applet\_ |
| NCCB-33156 | webChart | WebChart: scaling should ignore min/max facets by default and provide options to use them | WebChart will no longer look at a point's facets for 'min' and 'max' by default. If you prefer this behavior, there is now a chart option for "Facets Limit Mode" that defaults to "off," but can also be set to "inclusive" (the old behavior), or to "locked" which will force the min and max to those values. In all of these settings, "chartMin" and "chartMax" facet keys can be used as a higher-priority substitute for "min" and "max." Even if the "Facet Limit Mode" is "off," this can be overridden for specific series if a facet key of "chartLimitMode" is supplied with the corresponding values of "inclusive" or "locked." If you are not using a chart file to load a WebChart, then there used to be no way to preset any options. Now you can change the default options: there is now a Property called "defaultOptions" that can be modified on a Px page and defaults to "file:^charts/defaultOptions.chart". Even when not on a Px page, non-chart files will load their options from this file if it exists and the user has permissions to view it. This includes the ability to change all options, so even the default time range can now be changed. |
| NCCB-37564 | wiresheet | Wiresheet will not load if two components share more than one link and the source slot of one link is hidden | Previously, if a wiresheet wire was hidden, it would cause a NullPointerException to be thrown when the wiresheet was displayed. This has been fixed so that the exception is no longer thrown, and the hidden wire is simply not displayed. |