critical
9.1
CWE
611
Advisory Published
Updated

CVE-2020-9044: Metasys Improper Restriction of XML External Entity Reference

First published: Tue Mar 10 2020(Updated: )

XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files. This affects Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior; Metasys Extended Application and Data Server (ADX) versions 10.1 and prior; Metasys Open Data Server (ODS) versions 10.1 and prior; Metasys Open Application Server (OAS) version 10.1; Metasys Network Automation Engine (NAE55 only) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys Network Integration Engine (NIE55/NIE59) versions 9.0.1, 9.0.2, 9.0.3, 9.0.5, 9.0.6; Metasys NAE85 and NIE85 versions 10.1 and prior; Metasys LonWorks Control Server (LCS) versions 10.1 and prior; Metasys System Configuration Tool (SCT) versions 13.2 and prior; Metasys Smoke Control Network Automation Engine (NAE55, UL 864 UUKL/ORD-C100-13 UUKLC 10th Edition Listed) version 8.1.

Credit: productsecurity@jci.com

Affected SoftwareAffected VersionHow to fix
Johnson Controls Metasys Application And Data Server<=10.1
Johnson Controls Metasys Application And Data Server<=10.1
Johnson Controls Metasys Extended Application and Data Server<=10.1
Johnson Controls Metasys Lonworks Control Server<=10.1
Johnson Controls Metasys Open Application Server=10.1
Johnson Controls Metasys Open Data Server<=10.1
Johnson Controls Metasys System Configuration Tool<=13.2
Johnson Controls NAE55=9.0.1
Johnson Controls NAE55=9.0.2
Johnson Controls NAE55=9.0.3
Johnson Controls NAE55=9.0.5
Johnson Controls NAE55=9.0.6
Johnsoncontrols Nae55 Firmware
Johnson Controls NIE59=9.0.1
Johnson Controls NIE59=9.0.2
Johnson Controls NIE59=9.0.3
Johnson Controls NIE59=9.0.5
Johnson Controls NIE59=9.0.6
Johnsoncontrols Nie55 Firmware
Johnson Controls NIE59=9.0.1
Johnson Controls NIE59=9.0.2
Johnson Controls NIE59=9.0.3
Johnson Controls NIE59=9.0.5
Johnson Controls NIE59=9.0.6
Johnson Controls NIE59
Johnson Controls NAE85<=10.1
Johnson Controls NAE85
Johnsoncontrols Nie85 Firmware<=10.1
Johnson Controls NIE85
Johnson Controls NAE55=8.1
Johnson Controls UL 864 UUKL Firmware=8.1
Johnson Controls UL 864 UUKL Firmware
Johnson Controls Ord-c100-13 Uuklc=8.1
Johnson Controls Ord-c100-13 Uuklc

Remedy

Johnson Controls has developed a patch to address this issue. Customers should contact their local branch office for remediation.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2020-9044?

    The severity of CVE-2020-9044 is critical with a severity value of 9.1.

  • Which products are affected by CVE-2020-9044?

    Johnson Controls' Metasys Application and Data Server (ADS, ADS-Lite) versions 10.1 and prior, Metasys Extended Application and Data Server, Metasys Lonworks Control Server, Metasys Open Application Server, Metasys Open Data Server, Metasys System Configuration Tool, NAE55 Firmware versions 9.0.1 to 9.0.6, NIE55 Firmware versions 9.0.1 to 9.0.6, NIE59 Firmware versions 9.0.1 to 9.0.6, NAE85 Firmware versions up to 10.1, and NIE85 Firmware versions up to 10.1 are affected by CVE-2020-9044.

  • What is the impact of CVE-2020-9044?

    CVE-2020-9044 could potentially facilitate DoS attacks or harvesting of ASCII server files.

  • How can CVE-2020-9044 be fixed?

    There is currently no known fix for CVE-2020-9044. It is recommended to follow the provided security advisories for updates and patches from Johnson Controls.

  • Where can I find more information about CVE-2020-9044?

    More information about CVE-2020-9044 can be found in the security advisories from Johnson Controls and the ICS-CERT website.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203