CVE-2024-3467: Deserialization of Untrusted Data in AVEVA PI Asset Framework Client

Remedy

AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected products should apply security updates as soon as possible: * (Recommended) All affected versions can be fixed by upgrading to PI AF Client 2023 Patch 1 or later: From OSI Soft Customer Portal https://my.osisoft.com/ , search for "Asset Framework" and select "PI Asset Framework (AF) Client 2023 Patch 1" or later. * (Alternative) AF Client 2018 SP3 P04 and prior can be fixed by deploying PI AF Client 2018 SP3 Patch 5 or later: From OSI Soft Customer Portal https://my.osisoft.com/ , search for "Asset Framework" and select either "PI Asset Framework (AF) Client 2018 SP3 Patch 5" or later. AVEVA further recommends users follow general defensive measures: * Run PI System Explorer as a least privilege interactive account when possible. * Establish procedures for verifying the source of XML is trusted before importing into PI System Explorer. For additional information please refer to AVEVA-2024-004 https://www.aveva.com/en/support-and-success/cyber-security-updates/