CVE-2021-36204: Insufficiently Protected Credentials in Metasys
First published: Fri Jan 13 2023(Updated: )
Under some circumstances an Insufficiently Protected Credentials vulnerability in Johnson Controls Metasys ADS/ADX/OAS 10 versions prior to 10.1.6 and 11 versions prior to 11.0.3 allows API calls to expose credentials in plain text.
Credit: productsecurity@jci.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Johnsoncontrols Metasys Application And Data Server | >=10.0<10.1.6 | |
| Johnsoncontrols Metasys Application And Data Server | >=11.0<11.0.3 | |
| Johnsoncontrols Metasys Extended Application And Data Server | >=10.0<10.1.6 | |
| Johnsoncontrols Metasys Extended Application And Data Server | >=11.0<11.0.3 | |
| Johnsoncontrols Metasys Open Application Server | >=10.0<10.1.6 | |
| Johnsoncontrols Metasys Open Application Server | >=11.0<11.0.3 | |
| Johnson Controls Metasys ADS/ADX/OAS Version 10.X | <10.1.6 | 10.1.6 |
| Johnson Controls Metasys ADS/ADX/OAS Version 11.X | <11.0.3 | 11.0.3 |
Remedy
Update all Metasys ADS/ADX/OAS 10 versions with patch 10.1.6.
Remedy
Update all Metasys ADS/ADX/OAS 11 versions with patch 11.0.3.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this Johnson Controls Metasys ADS/ADX/OAS vulnerability?
The vulnerability ID for this Johnson Controls Metasys ADS/ADX/OAS vulnerability is CVE-2021-36204.
What is the severity of CVE-2021-36204?
The severity of CVE-2021-36204 is high with a CVSS score of 7.5.
Which versions of Johnson Controls Metasys ADS/ADX/OAS are affected by this vulnerability?
Johnson Controls Metasys ADS/ADX/OAS versions prior to 10.1.6 and 11 versions prior to 11.0.3 are affected by this vulnerability.
What is the risk of the vulnerability?
The vulnerability exposes credentials in plain text, posing a significant risk to the system and the confidentiality of the exposed credentials.
How can I fix CVE-2021-36204?
To fix the vulnerability, update Johnson Controls Metasys ADS/ADX/OAS to version 10.1.6 or higher for 10.x versions, or version 11.0.3 or higher for 11.x versions.
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/title
- agent/last-modified-date
- agent/author
- agent/remedy
- agent/description
- agent/first-publish-date
- agent/references
- agent/severity
- agent/event
- collector/ics-cert-advisory
- source/ICS
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- agent/trending
- vendor/johnsoncontrols
- canonical/johnsoncontrols metasys application and data server
- version/johnsoncontrols metasys application and data server/10.0
- version/johnsoncontrols metasys application and data server/11.0
- canonical/johnsoncontrols metasys extended application and data server
- version/johnsoncontrols metasys extended application and data server/10.0
- version/johnsoncontrols metasys extended application and data server/11.0
- canonical/johnsoncontrols metasys open application server
- version/johnsoncontrols metasys open application server/10.0
- version/johnsoncontrols metasys open application server/11.0
- vendor/johnson controls
- canonical/johnson controls metasys ads/adx/oas version 10.x
- canonical/johnson controls metasys ads/adx/oas version 11.x