cvelist/2024/3xxx/CVE-2024-3468.json

{
    "data_version": "4.0",
    "data_type": "CVE",
    "data_format": "MITRE",
    "CVE_data_meta": {
        "ID": "CVE-2024-3468",
        "ASSIGNER": "ics-cert@hq.dhs.gov",
        "STATE": "PUBLIC"
    },
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "There is a vulnerability in AVEVA PI Web API that could allow malicious code to execute on the PI Web API environment under the privileges of an interactive user that was socially engineered to use API XML import functionality with content supplied by an attacker."
            }
        ]
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "CWE-502 Deserialization of Untrusted Data",
                        "cweId": "CWE-502"
                    }
                ]
            }
        ]
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "vendor_name": "AVEVA",
                    "product": {
                        "product_data": [
                            {
                                "product_name": "PI Web API",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "<=",
                                            "version_name": "0",
                                            "version_value": "2023"
                                        }
                                    ]
                                }
                            }
                        ]
                    }
                }
            ]
        }
    },
    "references": {
        "reference_data": [
            {
                "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-02",
                "refsource": "MISC",
                "name": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-02"
            }
        ]
    },
    "generator": {
        "engine": "Vulnogram 0.2.0"
    },
    "source": {
        "discovery": "UNKNOWN"
    },
    "solution": [
        {
            "lang": "en",
            "supportingMedia": [
                {
                    "base64": false,
                    "type": "text/html",
                    "value": "<p>AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected products should apply security updates as soon as possible:</p><p>From <a target=\"_blank\" rel=\"nofollow\" href=\"https://my.osisoft.com/\">OSI Soft Customer Portal</a>, search for \"PI Web API\" and select version \"2023 SP1\" or later.</p><p>(Alternative) PI Web API 2021 SP3 can be fixed by upgrading PI AF Client to one of the versions specified in AVEVA Security Bulletin AVEVA-2024-004 / ICSA-24-163-03</p><p>AVEVA further recommends users follow general defensive measures:</p><ul><li>Set \"DisableWrites\" configuration setting to true, if this instance of PI Web API is used only for reading data or GET requests.</li><li>Uninstall Core Endpoints feature if this instance of PI Web API is used only for data collection from AVEVA Adapters. Keep OMF feature installed.</li><li>Limit AF Servers' Administrators, so that most of the PI Web API user accounts don't have the permission to change the backend AF servers.</li></ul><p>For additional information please refer to <a target=\"_blank\" rel=\"nofollow\" href=\"https://www.aveva.com/en/support-and-success/cyber-security-updates/\">AVEVA-2024-003</a></p>\n\n<br>"
                }
            ],
            "value": "AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Customers using affected products should apply security updates as soon as possible:\n\nFrom  OSI Soft Customer Portal https://my.osisoft.com/ , search for \"PI Web API\" and select version \"2023 SP1\" or later.\n\n(Alternative) PI Web API 2021 SP3 can be fixed by upgrading PI AF Client to one of the versions specified in AVEVA Security Bulletin AVEVA-2024-004 / ICSA-24-163-03\n\nAVEVA further recommends users follow general defensive measures:\n\n  *  Set \"DisableWrites\" configuration setting to true, if this instance of PI Web API is used only for reading data or GET requests.\n  *  Uninstall Core Endpoints feature if this instance of PI Web API is used only for data collection from AVEVA Adapters. Keep OMF feature installed.\n  *  Limit AF Servers' Administrators, so that most of the PI Web API user accounts don't have the permission to change the backend AF servers.\n\n\nFor additional information please refer to  AVEVA-2024-003 https://www.aveva.com/en/support-and-success/cyber-security-updates/"
        }
    ],
    "credits": [
        {
            "lang": "en",
            "value": "AVEVA reported this vulnerability to CISA."
        }
    ]
}