cnvd - cnvd-2021-102844

cnvd-2021-102844

Vulnerability from cnvd

Title: AVEVA System Platform存在未明漏洞

Description:

AVEVA System Platform是英国AVEVA（Aveva）公司的一个应用软件。用于监管、企业SCADA、MES和IIoT应用程序的响应迅速、标准驱动且可扩展的基础。

AVEVA System Platform存在安全漏洞，攻击者可利用漏洞导致拒绝服务。

Severity: 高

Patch Name: AVEVA System Platform存在未明漏洞的补丁

Patch Description:

AVEVA System Platform是英国AVEVA（Aveva）公司的一个应用软件。用于监管、企业SCADA、MES和IIoT应用程序的响应迅速、标准驱动且可扩展的基础。

AVEVA System Platform存在安全漏洞，攻击者可利用漏洞导致拒绝服务。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： https://www.aveva.com/

Reference: https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05

Impacted products

Name
AVEVA System Platform >=2017，<=2020 R2 P01

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-33010"
    }
  },
  "description": "AVEVA System Platform\u662f\u82f1\u56fdAVEVA\uff08Aveva\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u5e94\u7528\u8f6f\u4ef6\u3002\u7528\u4e8e\u76d1\u7ba1\u3001\u4f01\u4e1aSCADA\u3001MES\u548cIIoT\u5e94\u7528\u7a0b\u5e8f\u7684\u54cd\u5e94\u8fc5\u901f\u3001\u6807\u51c6\u9a71\u52a8\u4e14\u53ef\u6269\u5c55\u7684\u57fa\u7840\u3002\n\nAVEVA System Platform\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://www.aveva.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-102844",
  "openTime": "2021-12-28",
  "patchDescription": "AVEVA System Platform\u662f\u82f1\u56fdAVEVA\uff08Aveva\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u5e94\u7528\u8f6f\u4ef6\u3002\u7528\u4e8e\u76d1\u7ba1\u3001\u4f01\u4e1aSCADA\u3001MES\u548cIIoT\u5e94\u7528\u7a0b\u5e8f\u7684\u54cd\u5e94\u8fc5\u901f\u3001\u6807\u51c6\u9a71\u52a8\u4e14\u53ef\u6269\u5c55\u7684\u57fa\u7840\u3002\r\n\r\nAVEVA System Platform\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "AVEVA System Platform\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "AVEVA System Platform \u003e=2017\uff0c\u003c=2020 R2 P01"
  },
  "referenceLink": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05",
  "serverity": "\u9ad8",
  "submitTime": "2021-07-01",
  "title": "AVEVA System Platform\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

CVE-2021-33010 (GCVE-0-2021-33010)

Vulnerability from cvelistv5

Published

2022-04-04 19:45

Modified

2025-04-16 16:32

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-248 - Uncaught Exception

Summary

An exception is thrown from a function in AVEVA System Platform versions 2017 through 2020 R2 P01, but it is not caught, which may cause a denial-of-service condition.

References

▼	URL	Tags
	https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05	x_refsource_CONFIRM
	https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-002.pdf	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	AVEVA	AVEVA System Platform	Version: 2017 <

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:42:19.956Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-002.pdf"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-33010",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-16T15:57:54.681641Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-16T16:32:04.533Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVEVA System Platform",
          "vendor": "AVEVA",
          "versions": [
            {
              "lessThanOrEqual": "2020 R2 P01",
              "status": "affected",
              "version": "2017",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Sharon Brizinov of Claroty reported these vulnerabilities to AVEVA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An exception is thrown from a function in AVEVA System Platform versions 2017 through 2020 R2 P01, but it is not caught, which may cause a denial-of-service condition."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-248",
              "description": "CWE-248: Uncaught Exception",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-04-04T19:45:48.000Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-002.pdf"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "AVEVA recommends organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.\n\nAutoBuild service is intended to be used only on the GR Node of System Platform during configuration. If the AutoBuild service is enabled on any Runtime nodes, it should be disabled. Furthermore, if the AutoBuild functionality is not used on the GR Node, the AutoBuild service can be disabled on the GR Node as an alternative mitigation that does not require patching.\n\nAVEVA recommends users who need to continually use the AutoBuild functionality and cannot disable it in System Platform Versions 2017 through 2020 R2 P01 (inclusive) are affected by the vulnerabilities and should first upgrade to one of the System Platform versions listed below, then apply the corresponding security update:\n    System Platform 2020 R2 P01, 2020 R2, 2020: Apply AVEVA Communication Drivers Pack 2020 R2.1\n    System Platform 2017 U3 SP1 P01: \n\nFirst apply AVEVA Communication Drivers Pack 2020 R2  AVEVA notes that Activated Licensing is required to apply AVEVA Communication Drivers Pack 2020 R2 on top of System Platform 2017 U3 SP1 P01. For information on AVEVA license compatibility, please contact AVEVA Customer Support.\nThen apply AVEVA Communication Drivers Pack 2020 R2.1\n\nPlease see AVEVA\u2019s security bulletin AVEVA-2021-002 for more information."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "AVEVA System Platform Uncaught Exception",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2021-33010",
          "STATE": "PUBLIC",
          "TITLE": "AVEVA System Platform Uncaught Exception"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "AVEVA System Platform",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "2017",
                            "version_value": "2020 R2 P01"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "AVEVA"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Sharon Brizinov of Claroty reported these vulnerabilities to AVEVA."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An exception is thrown from a function in AVEVA System Platform versions 2017 through 2020 R2 P01, but it is not caught, which may cause a denial-of-service condition."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-248: Uncaught Exception"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05",
              "refsource": "CONFIRM",
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05"
            },
            {
              "name": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-002.pdf",
              "refsource": "CONFIRM",
              "url": "https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-002.pdf"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "AVEVA recommends organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.\n\nAutoBuild service is intended to be used only on the GR Node of System Platform during configuration. If the AutoBuild service is enabled on any Runtime nodes, it should be disabled. Furthermore, if the AutoBuild functionality is not used on the GR Node, the AutoBuild service can be disabled on the GR Node as an alternative mitigation that does not require patching.\n\nAVEVA recommends users who need to continually use the AutoBuild functionality and cannot disable it in System Platform Versions 2017 through 2020 R2 P01 (inclusive) are affected by the vulnerabilities and should first upgrade to one of the System Platform versions listed below, then apply the corresponding security update:\n    System Platform 2020 R2 P01, 2020 R2, 2020: Apply AVEVA Communication Drivers Pack 2020 R2.1\n    System Platform 2017 U3 SP1 P01: \n\nFirst apply AVEVA Communication Drivers Pack 2020 R2  AVEVA notes that Activated Licensing is required to apply AVEVA Communication Drivers Pack 2020 R2 on top of System Platform 2017 U3 SP1 P01. For information on AVEVA license compatibility, please contact AVEVA Customer Support.\nThen apply AVEVA Communication Drivers Pack 2020 R2.1\n\nPlease see AVEVA\u2019s security bulletin AVEVA-2021-002 for more information."
          }
        ],
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2021-33010",
    "datePublished": "2022-04-04T19:45:48.000Z",
    "dateReserved": "2021-05-13T00:00:00.000Z",
    "dateUpdated": "2025-04-16T16:32:04.533Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted