X Close

Product Security Advisories

Johnson Controls is committed to providing timely communication about known threats and vulnerabilities to our products and works closely with our partners in the U.S. DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to promote widest distribution possible of this important information.

 

Reported Product Advisories 

 

Advisory

Overview

Affected Products

Impact

Mitigation

ICSA-14-350-02 March 17, 2015

Independent security researcher Billy Rios identified two vulnerabilities in Johnson Controls Metasys® building automation system.

Metasys® releases 4.1 to 6.5: ADS, ADX, LCS8520, NAE, NIE, NxE8500

The exploitation of these vulnerabilities could allow an unauthenticated remote attacker to compromise the confidentiality, integrity, and availabiliy of a Metasys® system.

Johnson Controls has produced patches for each affected release that mitigate these vulnerabilities. Contact your Johnson Controls representative for more information.

ICS Vulnerabilities and Exploits

 

 

CVE-2014-0160 "Heartbleed" April 8, 2014

A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data.

None

We have assessed our products and see no impact at this time. Last updated August 25, 2015.

No mitigation required

CVE-2014-6271 "Shellshock" September 25, 2014

A flaw in the GNU Bourne-Again Shell (Bash) could allow an attacker to remotely execute shell commands.

None

We have assessed our products and see no impact at this time. Last updated August 25, 2015.

No mitigation required

 

jQuery("a[href*='.docx'],a[href*='.pdf']").attr("onclick","LogClick(this);")