Tridium AX security release 3.8.504
Posted: Sat Feb 29, 2020 6:18 pm
Security Bulletin #: SB 2020-Tridium-1
Defect#: NCCB-44469, NCCB-44306
Summary
Niagara AX 3.8 and Niagara Enterprise Security 2.3 (EntSec 2.3) have been updated to include the latest JRE and Bouncycastle libraries. These updates contain many security fixes provided by the vendors. In addition, other libraries were also updated to the latest versions to address bug fixes.
Tridium will continue to address critical vulnerabilities in Niagara AX and EntSec 2.3 as technically feasible until JULY 2021.
NOTE: After JULY 2021 Niagara AX will no longer be supported. Until then it is important to update your Niagara AX software with the latest security fixes.
Niagara 4 contains new security features and controls (RBAC, extensible authentication schemes, code signing, etc.) that provide an even stronger security profile for your projects and installations. Customers are strongly encouraged to migrate to Niagara 4.
NOTE: Due to routine growth of libraries (including the JRE), if your stations are particularly large, it may be necessary to perform a cleaning of JACE 3, 6, and 7 platforms after performing a backup and prior to installing the latest version. If you have any questions or concerns, please contact your sales support channel or the Tridium support team at support@tridium.com for details.
Recommended Action
Tridium has released new updates that address vulnerabilities identified in the vendor provided libraries.
Niagara AX 3.8u5 - 3.8.504
NetSec 2.3u3 - 2.3.303
These updates are available by contacting your sales support channel or the Tridium support team at support@tridium.com.
It is important that all Niagara customers for all supported platforms update their systems with these releases to mitigate risk. If you have any questions, please contact your Tridium account manager or Customer Support at support@tridium.com.
Mitigation
In addition to updating your system, Tridium recommends that customers with affected products take the following steps to protect themselves:
Defect#: NCCB-44469, NCCB-44306
Summary
Niagara AX 3.8 and Niagara Enterprise Security 2.3 (EntSec 2.3) have been updated to include the latest JRE and Bouncycastle libraries. These updates contain many security fixes provided by the vendors. In addition, other libraries were also updated to the latest versions to address bug fixes.
Tridium will continue to address critical vulnerabilities in Niagara AX and EntSec 2.3 as technically feasible until JULY 2021.
NOTE: After JULY 2021 Niagara AX will no longer be supported. Until then it is important to update your Niagara AX software with the latest security fixes.
Niagara 4 contains new security features and controls (RBAC, extensible authentication schemes, code signing, etc.) that provide an even stronger security profile for your projects and installations. Customers are strongly encouraged to migrate to Niagara 4.
NOTE: Due to routine growth of libraries (including the JRE), if your stations are particularly large, it may be necessary to perform a cleaning of JACE 3, 6, and 7 platforms after performing a backup and prior to installing the latest version. If you have any questions or concerns, please contact your sales support channel or the Tridium support team at support@tridium.com for details.
Recommended Action
Tridium has released new updates that address vulnerabilities identified in the vendor provided libraries.
Niagara AX 3.8u5 - 3.8.504
NetSec 2.3u3 - 2.3.303
These updates are available by contacting your sales support channel or the Tridium support team at support@tridium.com.
It is important that all Niagara customers for all supported platforms update their systems with these releases to mitigate risk. If you have any questions, please contact your Tridium account manager or Customer Support at support@tridium.com.
Mitigation
In addition to updating your system, Tridium recommends that customers with affected products take the following steps to protect themselves:
- Review and validate the list of users who are authorized and who can authenticate to Niagara.
- Allow only trained and trusted persons to have physical access to the system, including devices that have connection to the system though the Ethernet port.
- If remote connections to the network are required, consider using a VPN or other means to ensure secure remote connections into the network where the system is located.