[Control systems] OSIsoft PI Integrator security update

Number: AV17-123
Date: 9 August 2017

Purpose

The purpose of this advisory is to bring attention to recently released security updates to address input validation and authentication AuthenticationA process or measure used to verify a users identity. vulnerabilities in various versions of OSIsoft’s PI Integrator products.

Assessment

Successful exploitation of these vulnerabilities could allow an unauthorized user to gain privileged access to the system. An unauthorized user may also be able to store a malicious script in the application database.

Affected Products:

• PI Integrator for SAP HANA 2016,
• PI Integrator for Business Analytics 2016 - Data Warehouse (All Editions),
• PI Integrator for Business Analytics 2016 - Business Intelligence (All Editions),
• PI Integrator for Business Analytics and SAP HANA SQL Utility 2016, and
• PI Integrator for Microsoft Azure 2016

CVE References: CVE-2017-9653, CVE-2017-9655

Suggested Action

CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications at their earliest convenience. Consider and assess the risk should you have to delay updates and mitigate accordingly.

References:

• https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00324
• https://techsupport.osisoft.com/Troubleshooting/Releases/RL01195
• https://ics-cert.us-cert.gov/advisories/ICSA-17-220-01