X Close
Product Security Advisory
Meltdown and Spectre Vulnerabilities

CVEs: CVE-2017-5753 and CVE-2017-5715 (“Spectre”) and CVE-2017-5754 (“Meltdown”)

Summary
Researchers recently disclosed new security vulnerabilities that impact aspects of many modern processors and that could be exploited to allow an attacker to obtain access to sensitive data. These vulnerabilities, known as “Meltdown” and “Spectre,” allow for side-channel attacks to read data from memory. These vulnerabilities can affect personal computers, mobile devices, and the cloud. They are not related to any vulnerabilities identified in Johnson Controls code but rather in the software that controls some Intel, AMD, and ARM brand processors.

The Johnson Controls Product Security Incident Response Team (PSIRT) is working with our global product teams to assess the potential impact of the Meltdown and Spectre vulnerabilities. We will publish more information on this site and through product support channels as it becomes available. This is an evolving situation so please check back regularly for updates and further information.

Third-party vendors continue to work on their evolving mitigations for these vulnerabilities. We will continue to monitor the situation and evaluate the impact to our products. Johnson Controls global product teams will be publishing guidance as they complete their assessments.

Please note the following:

  • Following secure IT deployment and maintenance practices should significantly reduce the risk and impact of this vulnerability being successfully leveraged by an attacker.
  • To execute code locally, an attacker would require a valid account or independent compromise of the target.
  • These exploits, while affecting confidentiality, do not have the potential to corrupt, modify, or delete data.
  • At the time of publishing this notice, we are not aware of attacks that have successfully leveraged these vulnerabilities.

Customer Actions

Although there are currently no known workarounds, below are some suggested actions that customers can take in the short term to reduce their risks:

  • Check this site regularly for updated information.
  • As always, prior to deploying software patches or updates, test such patches or updates on non-production systems and follow all vendor instructions and warnings to ensure such patches or updates do not impair system functionality.
  • Although not specific to this vulnerability, always implement proper building system and corporate network segmentation and boundary security and access controls.

The Department of Homeland Security’s ICS-CERT provides guidance on control systems security recommended practices on their web page. Several recommended practices are available for reading and download including “Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies”.

For More information and Assistance
Contact your Johnson Controls account executive and leverage established sales/service channels for your Johnson Controls product. Customers of Johnson Controls/Tyco security products (access control, video surveillance, and intrusion detection) should monitor this page and the Tyco Cyber Protection Program. If you have more questions or need additional support, email the Johnson Controls PSIRT at productsecurity@jci.com.

References

Pub # GPS-PSA-2018-01
Initial Publication Date: 1/10/18
Date (Rev.) N/A
Version # 1.0