CVEs: CVE-2017-5753 and CVE-2017-5715 (“Spectre”) and CVE-2017-5754 (“Meltdown”)
Researchers recently disclosed new security vulnerabilities that impact aspects of many modern processors and that could be exploited to allow an attacker to obtain access to sensitive data. These vulnerabilities, known as “Meltdown” and “Spectre,” allow for side-channel attacks to read data from memory. These vulnerabilities can affect personal computers, mobile devices, and the cloud. They are not related to any vulnerabilities identified in Johnson Controls code but rather in the software that controls some Intel, AMD, and ARM brand processors.
The Johnson Controls Product Security Incident Response Team (PSIRT) is working with our global product teams to assess the potential impact of the Meltdown and Spectre vulnerabilities. We will publish more information on this site and through product support channels as it becomes available. This is an evolving situation so please check back regularly for updates and further information.
Third-party vendors continue to work on their evolving mitigations for these vulnerabilities. We will continue to monitor the situation and evaluate the impact to our products. Johnson Controls global product teams will be publishing guidance as they complete their assessments.
Please note the following:
Although there are currently no known workarounds, below are some suggested actions that customers can take in the short term to reduce their risks:
The Department of Homeland Security’s ICS-CERT provides guidance on control systems security recommended practices on their web page. Several recommended practices are available for reading and download including “Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies”.
For More information and Assistance
Contact your Johnson Controls account executive and leverage established sales/service channels for your Johnson Controls product. Customers of Johnson Controls/Tyco security products (access control, video surveillance, and intrusion detection) should monitor this page and the Tyco Cyber Protection Program. If you have more questions or need additional support, email the Johnson Controls PSIRT at firstname.lastname@example.org.
Pub # GPS-PSA-2018-01
Initial Publication Date: 1/10/18
Date (Rev.) N/A
Version # 1.0