CVE-2023-3127: Improper Authentication in iSTAR
First published: Tue Jul 11 2023(Updated: )
An unauthenticated user could log into iSTAR Ultra, iSTAR Ultra LT, iSTAR Ultra G2, and iSTAR Edge G2 with administrator rights.
Credit: productsecurity@jci.com productsecurity@jci.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Johnsoncontrols Istar Ultra Firmware | >=6.8.6<6.9.2 | |
| Johnsoncontrols Istar Ultra Firmware | =6.9.2 | |
| Johnsoncontrols Istar Ultra | ||
| Johnsoncontrols Istar Ultra Lt Firmware | >=6.8.6<6.9.2 | |
| Johnsoncontrols Istar Ultra Lt Firmware | =6.9.2 | |
| Johnsoncontrols Istar Ultra Lt | ||
| Johnsoncontrols Istar Ultra G2 Firmware | <6.9.2 | |
| Johnsoncontrols Istar Ultra G2 Firmware | =6.9.2 | |
| Johnsoncontrols Istar Ultra G2 | ||
| Johnsoncontrols Edge G2 Firmware | <6.9.2 | |
| Johnsoncontrols Edge G2 Firmware | =6.9.2 | |
| Johnsoncontrols Edge G2 | ||
| Sensormatic Electronics, LLC, a subsidiary of Johnson Controls Inc. iSTAR Ultra and iSTAR Ultra LT: Firmware after version 6.8.6 and prior to 6.9.2 CU01 | ||
| Sensormatic Electronics, LLC, a subsidiary of Johnson Controls Inc. iSTAR Ultra G2 and iSTAR Edge G2: Firmware versions prior to 6.9.2 CU01 |
Remedy
Upgrade iSTAR Ultra, iSTAR Ultra LT, iSTAR Ultra G2, and iSTAR Edge G2 firmware to version 6.9.2 CU01.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-3127?
The severity of CVE-2023-3127 is critical, with a severity value of 9.8.
Which software versions are affected by CVE-2023-3127?
The affected software versions are Johnsoncontrols iSTAR Ultra Firmware 6.8.6 to 6.9.2, iSTAR Ultra LT Firmware 6.8.6 to 6.9.2, iSTAR Ultra G2 Firmware up to 6.9.2, and iSTAR Edge G2 Firmware up to 6.9.2.
How can an unauthenticated user exploit CVE-2023-3127?
An unauthenticated user can exploit CVE-2023-3127 by logging into iSTAR Ultra, iSTAR Ultra LT, iSTAR Ultra G2, and iSTAR Edge G2 with administrator rights.
Is Johnsoncontrols iSTAR Ultra vulnerable to CVE-2023-3127?
No, Johnsoncontrols iSTAR Ultra is not vulnerable to CVE-2023-3127.
Where can I find more information about CVE-2023-3127?
You can find more information about CVE-2023-3127 in the security advisories on the Johnson Controls website and the ICS-CERT website.
- collector/nvd-latest
- collector/nvd-api
- collector/nvd-index
- agent/references
- agent/author
- agent/type
- agent/weakness
- agent/description
- collector/ics-cert-advisory
- source/ICS
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/last-modified-date
- agent/title
- agent/severity
- agent/tags
- agent/first-publish-date
- agent/event
- vendor/johnsoncontrols
- canonical/johnsoncontrols istar ultra firmware
- version/johnsoncontrols istar ultra firmware/6.8.6
- version/johnsoncontrols istar ultra firmware/6.9.2
- canonical/johnsoncontrols istar ultra
- canonical/johnsoncontrols istar ultra lt firmware
- version/johnsoncontrols istar ultra lt firmware/6.8.6
- version/johnsoncontrols istar ultra lt firmware/6.9.2
- canonical/johnsoncontrols istar ultra lt
- canonical/johnsoncontrols istar ultra g2 firmware
- version/johnsoncontrols istar ultra g2 firmware/6.9.2
- canonical/johnsoncontrols istar ultra g2
- canonical/johnsoncontrols edge g2 firmware
- version/johnsoncontrols edge g2 firmware/6.9.2
- canonical/johnsoncontrols edge g2
- vendor/sensormatic electronics, llc, a subsidiary of johnson controls inc.
- canonical/sensormatic electronics, llc, a subsidiary of johnson controls inc. istar ultra and istar ultra lt: firmware after version 6.8.6 and prior to 6.9.2 cu01
- canonical/sensormatic electronics, llc, a subsidiary of johnson controls inc. istar ultra g2 and istar edge g2: firmware versions prior to 6.9.2 cu01