HVAC Equipment
  • JohnsonControls
  • YORK
  • HITACHI
  • Luxaire
  • Champion
  • Quantech
  • Coleman
  • Ruskin
  • Source1 HVACSupply
  • Envirotec
  • Koch Filter
  • Titus
  • TempMaster
  • AirMate
  • AMPCO
  • Penn Barry
  • TRION
  • Triatek
  • Krueger
Security
  • Tyco American Dynamics
  • Tyco Bentel
  • Tyco CEM Systems
  • Tyco DSC
  • Tyco Exacq
  • Tyco Illustra
  • Tyco Kantech
  • Tyco Software House
  • ADT
Digital Solutions
  • JohnsonControls
Industrial Refrigeration
  • YORK
  • Frick
  • Sabroe
Fire Suppression
  • Tyco
  • ANSUL
  • Chemguard
  • SKUM
  • Rapid Response
  • Sabo Foam
  • Hygood
  • Grinnell
  • SprinkCAD
  • Pyro-chem
  • WILLIAMS
Retail Solutions
  • Sensormatic
  • ShopperTrak
  • TrueVUE
Residential and Smart Home
  • JohnsonControls
  • GLAS
  • LUX
Building Automation & Controls
  • JohnsonControls
  • Metasys
  • PENN
  • Facility Explorer
  • Verasys
  • BCPRO
Fire Detection
  • Autocall
  • FireClass
  • Simplex
  • Vigilant
  • Zettler
  • DBE
Distributed Energy Storage
  • JohnsonControls

Global Directory

HVAC Equipment
  • JohnsonControls
  • YORK
  • HITACHI
  • Luxaire
  • Champion
  • Quantech
  • Coleman
  • Ruskin
  • Source1 HVACSupply
  • Envirotec
  • Koch Filter
  • Titus
  • TempMaster
  • AirMate
  • AMPCO
  • Penn Barry
  • TRION
  • Triatek
  • Krueger
Security
  • Tyco American Dynamics
  • Tyco Bentel
  • Tyco CEM Systems
  • Tyco DSC
  • Tyco Exacq
  • Tyco Illustra
  • Tyco Kantech
  • Tyco Software House
  • ADT
Digital Solutions
  • JohnsonControls
Industrial Refrigeration
  • YORK
  • Frick
  • Sabroe
Fire Suppression
  • Tyco
  • ANSUL
  • Chemguard
  • SKUM
  • Rapid Response
  • Sabo Foam
  • Hygood
  • Grinnell
  • SprinkCAD
  • Pyro-chem
  • WILLIAMS
Retail Solutions
  • Sensormatic
  • ShopperTrak
  • TrueVUE
Residential and Smart Home
  • JohnsonControls
  • GLAS
  • LUX
Building Automation & Controls
  • JohnsonControls
  • Metasys
  • PENN
  • Facility Explorer
  • Verasys
  • BCPRO
Fire Detection
  • Autocall
  • FireClass
  • Simplex
  • Vigilant
  • Zettler
  • DBE
Distributed Energy Storage
  • JohnsonControls

Global Directory

Product Security Advisories

Product Security Advisories

Johnson Controls tracks, identifies and proactively addresses ever-evolving cybersecurity threats every day – it’s a top priority. This commitment is reflected in our technology innovations and continual product development to keep building management systems, IT infrastructures, and connected equipment secure.

We must all play a role to address threats. Our dedicated cybersecurity team working with our local branch professionals is available to address customer concerns or immediate threats to system security. We also encourage our customers to follow IT and security-related best practices.

2019 Product Security Advisories

Title/Security Advisory ID Affected Product Overview Mitigation Initial Publication Date Last updated
Metasys ICS-CERT Advisory ICSA-19-227-01

JCI-PSA-2019-06 v1
CVE-2019-7593
CVE-2019-7594
Metasys® ADS/ADX servers and NAE/NIE/NCE engines impacting versions prior to 9.0.  An attacker with access to the shared RSA key pair or a hardcoded RC2 key could potentially decrypt captured network traffic between the Metasys® ADS/ADX servers or NAE/NIE/NCE engines and the connecting Site Management Portal (SMP) user client. These issues were addressed in version 9.0 of these Metasys® components. We recommend upgrading all Metasys® ADS/ADX servers and NAE/NIE/NCE engines to at least version 9.0 to assure all enhancements in this latest release are active. Sites should also be configured with trusted certificates. August 15, 2019

August 15, 2019

 

Bluetooth “KNOB” attack or BR/EDR Key Negotiation Vulnerability

CVE-2019-9506 
JCI-PSA-2019-08 v1

Find out more about from NIST National Vulnerability Database (NVD) and MITRE CVE® List.  

Security advisories for affected products will be appended to this web page as they are made available.

The PSA IDs for each product specific advisory has common root followed by “.x” where x is the instance number (JCI-PSA-2019-08.x).

A researcher has identified a vulnerability that affects Bluetooth devices that employ Bluetooth BR/EDR Bluetooth Core specification versions 1.0 through 5.1. Refer to respective Product Security Advisories (when released). August 13, 2019 August 13, 2019
JCI-PSA-2019-03

Please visit the ICS-CERT advisory linked below for complete information and additional resources.

ICS-CERT-19-199-01

exacqVision Server 9.6 and 9.8 application running on Windows operating system (all supported versions of Windows).  On March 28, 2019, Tyco security solutions published a product security advisory for exacqVision Server Application. Please reference the linked Johnson Controls advisory below to find mitigation steps: Click Here March 28, 2019 July 18, 2019
TrueInsight Module Vulnerability 
JCI-PSA-2019-05

TrueInsight modules used to connect the Simplex® 4007ES, 4010ES, 4100ES, and 4100U Fire Alarm Control Panels

 

This vulnerability impacts all TrueInsight modules. If properly exploited, this vulnerability could result in unauthorized access to the fire system. Unfortunately, there is no patch available to fix the vulnerability.

 

Please reference the linked Johnson Controls advisory below to find mitigation steps: Click Here

 
 
July 8, 2019

July 8, 2019

Microsoft® Remote Desktop Services Remote Code Execution Vulnerability (a.k.a. “BlueKeep”)

Microsoft® Remote Desktop Services Remote Code Execution Vulnerability (a.k.a. “BlueKeep”).

Vulnerable in-support systems include Windows 7 operating system, Windows Server® 2008 R2, and Windows Server 2008 systems.

Out-of-support but affected operating systems include Windows Server 2003 and Windows XP® operating systems.

Microsoft discovered a vulnerability in its Remote Desktop service that is included in most versions of a wide variety of its operating systems. Although this vulnerability is not associated with any specific Johnson Controls application, it does impact the computer environments that can host those applications.

Microsoft has released a product update that patches this security issue.

Please reference the linked advisory below to find mitigation steps: Click Here.

 
May 22, 2019

May 22, 2019

ICS-CERT Advisory ICSA-19-163-01

 

Please visit the ICS-CERT advisory linked above for complete information and additional resources.

ExacqVision (ESM) v5.12.2 and all prior versions of ESM running on a Windows operating system.

This issue does not impact Linux deployments with permissions that are not inherited from the root directory.

On February 15, 2019, Tyco security solutions published a product security advisory for ExacqVision Enterprise System Manager (ESM).

Please reference the linked Tyco advisory below to find mitigation steps: Click Here.

 
February 15, 2019

March 28, 2019

2018 Product Security Advisories

Title/Security Advisory ID Affected Product Overview Mitigation Initial Publication Date Last updated

CPP-PSA-20180-02 v1

 

Facility Explorer™ Path Traversal and Improper Authentication Vulnerabilities

ICS CERT Notice ICSA-19-022-01

CVE-2017-16744

CVE-2017-16748

Please visit the ICS CERT notice linked above for complete information and additional resources.

Facility Explorer 6.x (Niagara AX Framework™) systems, prior to 6.6

Facility Explorer 14.x (Niagara 4) systems, prior to 14.4u1

Facility Explorer Software Release 6.6 and 14.4u1 includes several fixes and important vulnerability mitigations for cybersecurity protection.

Customers should upgrade to the latest available product versions.

Johnson Controls recommends taking steps to minimize risks to all building automation systems.

The Department of Homeland Security’s ICS-CERT also provides a section for Control Systems Security Recommended Practices.

January 11, 2018 

September 4, 2018 

 ICSA-14-350-02

 

Metasys® Building Automation System (BAS) Information Disclosure Vulnerability

ICS Cert Notice ICSA-18-212-02

CVE-2018-10624

Please visit the ICS CERT notice linked above for complete information and additional resources.

Metasys system versions 8.0 and prior. 

BCM (now BC Pro) all versions prior to 3.0.2

A previous version of the Metasys BAS could potentially reveal technical information when an authentication error occurs in the BAS server.

 Customers should upgrade to the latest product versions. Contact your Johnson Controls Sales or Service representative for details.


Johnson Controls recommends taking steps to minimize risks to all BASs.

Please reference our
Metasys Security Page.

The Department of Homeland Security’s ICS-CERT also provides a section for Control Systems Security Recommended Practices.

March 17, 2015

August 27, 2018

Pub # GPS-PSA-2018-02

"Meltdown" and "Spectre" Vulnerabilities CERT Vulnerability Note VU#584653

Johnson Controls Product Security Incident Response Team (PSIRT) is assessing potential impact to Johnson Controls products. Find Updates Here.

Researchers recently disclosed new security vulnerabilities that impact aspects of many modern processors and that could be exploited to allow an attacker to obtain access to sensitive data. These vulnerabilities allow for side-channel attacks to read data from memory. These vulnerabilities can affect personal computers, mobile devices, and the cloud. Although there are currently no known workarounds, below are some suggested actions that customers can take in the short term to reduce their risks:

Check this site regularly for updated information.

As always, prior to deploying software patches or updates, test such patches or updates on non-production systems and follow all vendor instructions and warnings to ensure such patches or updates do not impair system functionality.

Although not specific to this vulnerability, always implement proper building system and corporate network segmentation and boundary security and access controls.

January 10, 2018 

January 26, 2018 

2017 Product Security Advisories

Title/Security Advisory ID Affected Product Overview Mitigation Initial Publication Date Last updated

“KRACK” Wi-Fi Vulnerability Attacks: CERT Vulnerability Note VU#228519

Johnson Controls Product Security Incident Response Team (PSIRT) is assessing potential impact to Johnson Controls products.  Update to follow.

A significant weakness in a commonly used Wi-Fi security protocol was announced recently which could put the confidentiality of data transferred through wireless at risk.  The attack, dubbed “KRACK” affects a newly discovered weakness in the WPA2 protocol which is commonly to secure Wi-Fi networks.

An attacker within range of a victim can potentially exploit these weaknesses to access some types of information transmitted between wireless clients and wireless network access points, thereby reducing the confidentiality and integrity of the data being transmitted.

October 16, 2017

November 16, 2017

US CERT Alert TA17-132A017-0143
 “Indicators Associated with WannaCry Ransomware”

All Metasys® software releases running on affected OS’,  All NxE55 series, all NxE85 series and LCS8520

IT systems worldwide have been affected by a prolific Ransomware attack which leverages a Microsoft SMB protocol vulnerability which may affect some Metasys system components.

Apply Microsoft patch for MS17-010 for host operating systems. Contact your JCI Field Representative for remediation details for specific Metasys products.

May 12, 2017

June 7, 2018

2015 Product Security Advisories

Title/Security Advisory ID Affected Product Overview Mitigation Initial Publication Date Last updated

ICSA-14-350-02

Metasys® releases 4.1 to 6.5: ADS, ADX, LCS8520, NAE, NIE, NxE8500

Independent security researcher Billy Rios identified two vulnerabilities in Johnson Controls Metasys® building automation system.

Johnson Controls has produced patches for each affected release that mitigate these vulnerabilities. Contact your Johnson Controls representative for more information.

March 17, 2015

August 27, 2018

US CERT Alert TA17-132A017-0143
 “Indicators Associated with WannaCry Ransomware”

All Metasys® software releases running on affected OS’,  All NxE55 series, all NxE85 series and LCS8520

IT systems worldwide have been affected by a prolific Ransomware attack which leverages a Microsoft SMB protocol vulnerability which may affect some Metasys system components.

Apply Microsoft patch for MS17-010 for host operating systems. Contact your JCI Field Representative for remediation details for specific Metasys products

May 12, 2017

June 7, 2018

2014 Product Security Advisories

Title/Security Advisory ID Affected Product Overview Mitigation Initial Publication Date Last updated

CVE-2014-0160"Heartbleed"

None

A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data.

No mitigation required

August 8, 2014

August 25, 2015

CVE-2014-6271"Shellshock"

None

A flaw in the GNU Bourne-Again Shell (Bash) could allow an attacker to remotely execute shell commands.

No mitigation required

September 25, 2014

August 25, 2015

CVE-2014-3566
US-CERT Alert TA-14290A

Metasys® Release 6.5, 7.0, 8.0: Application and Data Server (ADS), Extended Application and Data Server (ADX), ADS-Lite, Open Data Server (ODS), Metasys® Advanced Reporting System, Metasys® Export Utility, Ready Access Portal, and Metasys® User Interface (UI) Release 1.5, 1.5.1, and 2.0

Commonly referred to as Padding Oracle on Downgraded Legacy Encryption (POODLE), this vulnerability may allow an attacker to decrypt cipher
text using a padding oracle side channel attack. The attack leverages the ability for the communication to be downgraded to SSL V3, an older and less secure version of SSL which is vulnerable to attack.

This does not involve any patches or updates to our products, simply a reminder to address this at the Microsoft operating system level. 
Disable SSLv3 on the server and standalone computers hosting the affected Metasyssoftware

October 17, 2014

September 30,2016