X Close

Product Security Advisories

Johnson Controls is committed to providing timely communication about known threats and vulnerabilities to our products and works closely with our partners in the U.S. DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to promote widest distribution possible of this important information.


Reported Product Advisories 




Affected Products



ICSA-14-350-02 March 17, 2015

Independent security researcher Billy Rios identified two vulnerabilities in Johnson Controls Metasys® building automation system.

Metasys® releases 4.1 to 6.5: ADS, ADX, LCS8520, NAE, NIE, NxE8500

The exploitation of these vulnerabilities could allow an unauthenticated remote attacker to compromise the confidentiality, integrity, and availabiliy of a Metasys® system.

Johnson Controls has produced patches for each affected release that mitigate these vulnerabilities. Contact your Johnson Controls representative for more information.

ICS Vulnerabilities and Exploits



CVE-2014-0160 "Heartbleed" April 8, 2014

A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data.


We have assessed our products and see no impact at this time. Last updated August 25, 2015.

No mitigation required

CVE-2014-6271 "Shellshock" September 25, 2014

A flaw in the GNU Bourne-Again Shell (Bash) could allow an attacker to remotely execute shell commands.


We have assessed our products and see no impact at this time. Last updated August 25, 2015.

No mitigation required

US-CERT Alert TA-14290A

Commonly referred to as Padding Oracle on Downgraded Legacy Encryption (POODLE), this vulnerability may allow an attacker to decrypt cipher
text using a padding oracle side channel attack. The attack leverages the ability for the communication to be downgraded to SSL V3, an older and less secure version of SSL which is vulnerable to attack.
Metasys® Release 6.5, 7.0, 8.0: Application and Data Server (ADS), Extended Application and Data Server (ADX), ADS-Lite, Open Data Server (ODS), Metasys® Advanced Reporting System, Metasys®  Export Utility, Ready Access Portal, and Metasys®  User Interface (UI) Release 1.5, 1.5.1, and 2.0

This vulnerability may allow an attacker who is on the same network as the victim to hijack an encrypted session between a client and a server that supports SSLv3, an older and less secure version of SSL. The attack is classified as a “man-in-the-middle exploit.” 

This does not involve any patches or updates to our products, simply a reminder to address this at the Microsoft operating system level. 
Disable SSLv3 on the server and standalone computers hosting the affected Metasys software.