Product Security Advisories

Johnson Controls keeps your building management systems, IT infrastructures, and connected equipment secure with a firm commitment to technological innovation and continual product development.

This includes creating product security advisories as an essential part of our rapid response protocol for cybersecurity incidents. You can learn about problems we identified — as well as the actions we took to mitigate risk — right here.

 

2024 Product Security Advisories

Title/Security Advisory ID Affected Product Overview Mitigation Initial Publication Date Last updated

exacqVision
exacqVision Web Service
JCI-PSA-2024-19

exacqVision Web Service Vulnerability impacting exacqVision Web Service See link for general guidance  August 1, 2024  August 1, 2024  

exacqVision
exacqVision Web Server
JCI-PSA-2024-18

exacqVision Web Service Vulnerability impacting exacqVision Web Service See link for general guidance  August 1, 2024  August 1, 2024  

exacqVision
exacqVision Web Service
JCI-PSA-2024-17

exacqVision Web Service Vulnerability impacting exacqVision Web Service See link for general guidance  August 1, 2024  August 1, 2024  

exacqVision
exacqVision Web Service
JCI-PSA-2024-16

exacqVision Web Service Vulnerability impacting exacqVision Web Service See link for general guidance  August 1, 2024  August 1, 2024  

exacqVision
exacqVision Web Service
JCI-PSA-2024-15

exacqVision Web Service Vulnerability impacting exacqVision Web Service See link for general guidance  August 1, 2024  August 1, 2024  

exacqVision
exacqVision Client and exacqVision Server
JCI-PSA-2024-14

exacqVision Client and Server Vulnerability impacting exacqVision Client and exacqVision Server See link for general guidance  August 1, 2024  August 1, 2024  

Software House
C•CURE 9000
JCI-PSA-2024-04 v2

C•CURE 9000 Vulnerability impacting C•CURE 9000 v3.00.2 See link for general guidance  May 14, 2024 July 18, 2024 

Software House
C•CURE 9000
JCI-PSA-2024-11

C•CURE 9000 Vulnerability impacting C•CURE 9000 installer   See link for general guidance  July 16, 2024  July 16, 2024  

Software House
C•CURE 9000
JCI-PSA-2024-12

C•CURE 9000 Vulnerability impacting C•CURE 9000 installer   See link for general guidance  July 9, 2024  July 9, 2024  

Tyco
Illustra cameras
JCI-PSA-2024-05-v2

Illustra cameras  Vulnerability impacting Illustra cameras See link for general guidance July 9, 2024 July 11, 2024 

Kantech
KT Door Controllers
JCI-PSA-2024-13

KT Door Controllers Vulnerability impacting 
KT Door Controllers
See link for general guidance July 2, 2024  July 2, 2024 

American Dynamics
Illustra Essential Gen 4
JCI-PSA-2024-10

Illustra Essential Gen 4 Vulnerability impacting 
Illustra Essential Gen 4
See link for general guidance June 27, 2024  June 27, 2024 

American Dynamics
Illustra Essential Gen 4
JCI-PSA-2024-9

Illustra Essential Gen 4 Vulnerability impacting 
Illustra Essential Gen 4
See link for general guidance June 27, 2024   June 27, 2024 

American Dynamics
Illustra Essential Gen 4
JCI-PSA-2024-8

Illustra Essential Gen 4 Vulnerability impacting 
Illustra Essential Gen 4
See link for general guidance June 27, 2024   June 27, 2024 

American Dynamics
Illustra Essential Gen 4
JCI-PSA-2024-7

Illustra Essential Gen 4 Vulnerability impacting 
Illustra Essential Gen 4
See link for general guidance June 27, 2024   June 27, 2024 

Software House
iSTAR Pro
JCI-PSA-2024-06

iSTAR Pro door controllers Vulnerability impacting iSTAR Pro door controllers all versions  See link for general guidance  June 6, 2024  June 6, 2024 

Qolsys
JCI-PSA-2024-03

Qolsys IQ Panel 4 and IQ4 Hub Vulnerability impacting certain versions of Qolsys IQ Panel 4 and IQ4 Hub   See link for general guidance  February 8, 2024  February 8, 2024
  • 2023 Product Security Advisories

    Title/Security Advisory ID Affected Product Overview Mitigation Initial Publication Date Last updated
    Metasys and Facility Explorer 
    JCI-PSA-2023-08 v2
    Metasys and Facility Explore  Vulnerability impacting certain versions of Metasys and Facility Explorer  See link for general guidance December 7, 2023 December 19, 2023
    Kantech
    JCI-PSA-2023-03
    Kantech Cen1 ioSmart card reader
    Vulnerability impacting certain versions of Kantech Gen1 ioSmart card reader
    See link for general guidance
    December 14, 2023
    December 14, 2023 
     
    Frick Refrigeration
    JCI-PSA-2023-09
    Quantum HD
    Vulnerability impacting certain versions of control panels
    See link for general guidance
    November 9, 2023
    November 9, 2023 
     
    American Dynamics VideoEdge
    JCI-PSA-2023-07 
    VideoEdge  Vulnerability impacting all VideoEdge versions prior to 6.1.1  See link for general guidance  August 3, 2023  August 3, 2023 
    IQ Wifi 6
    JCI-PSA-2023-06
    IQ Wifi 6 wireless router Vulnerability impacting web interface See link for general guidance  July 25, 2023
    July 25, 2023
    iSTAR
    JCI-PSA- 2023-05
    iSTAR Ultra, iSTAR Ultra LT, iSTAR Ultra G2, iSTAR Edge G2  Vulnerability impacting certain versions of  iSTAR Ultra, iSTAR Ultra LT, iSTAR Ultra G2 and iSTAR Edge G2 products   See link for general guidance  July 11, 2023 July 11, 2023
    Tyco Illustra Pro Gen 4 
    JCI-PSA-2023-02
    Tyco Illustra Pro Gen 4  Vulnerability impacting certain versions of Tyco Illustra Pro Gen 4   See link for general guidance  June 8, 2023 June 8, 2023
    OpenBlue Enterprise Manager Data Collector
    JCI-PSA-2023-04 
    OpenBlue Enterprise Manager Data Collector  Vulnerability impacting all OpenBlue Enterprise Manager Data Collector firmware versions prior to 3.2.5.75  See link for general guidance   May 18, 2023  May 18, 2023 
    Metasys
    JCI-PSA-2022-07 
    Metasys System Configuration Tool (SCT) 

    Vulnerability impacting SCT version 14 prior to 14.2.3 and version 15 prior to 15.0.3

    See link for general guidance  February 9, 2023  February 9, 2023 
    Metasys 
    JCI-PSA-2022-05
    Metasys ADS/ADX/OAS Vulnerability impacting Metasys ADS/ADX/OAS versions 10 and 11 See link for general guidance  January 12, 2023 January 12, 2023
  • 2022 Product Security Advisories

    Title/Security Advisory ID Affected Product Overview Mitigation Initial Publication Date Last updated
    CKS CEVAS
    JCI-PSA-2022-15
    CEVAS  Vulnerability impacting CEVAS all versions prior to 1.01.46 See link for general guidance  October 25, 2022 October 25, 2022
    Software House C•CURE 9000
    JCI-PSA-2022-12
    C•CURE 9000  Vulnerability impacting Software House C•CURE 9000 Portal  See link for general guidance  October 11, 2022  October 11, 2022 
    Metasys
    JCI-PSA-2022-11 
    Metasys Vulnerability impacting Metasys ADX Server version 12.0  See link for general guidance   October 04, 2022  October 04, 2022
    iSTAR Ultra
    JCI-PSA-2022-13 
    iSTAR Ultra  Vulnerability impacting iSTAR Ultra firmware versions prior to 6.8.9.CU01 See link for general guidance  August 30, 2022  August 30, 2022 

    Metasys
    JCI-PSA-2022-04

    Metasys Vulnerability impacting Metasys ADS/ADX/OAS with MUI See link for general guidance July 21, 2022 July 21, 2022
    Metasys
    JCI-PSA-2022-10 
    Metasys  Vulnerabilities impacting Metasys ADS/ADX/OAS Servers   See link for general guidance  June 14, 2022 June 14, 2022
    Spring4Shell 
    JCI-PSA-2022-14 v3
    General  General Guidance  See link for general guidance April 19, 2022 May 20, 2022
    Metasys
    JCI-PSA-2022-09 
    Metasys  Vulnerability impacting Metasys ADS/ADX/OAS Servers versions 10 and 11    See link for general guidance   May 5, 2022  May 5, 2022
    Metasys ADS/ADX/OAS
    JCI-PSA-2022-08 
    Metasys  Vulnerability impacting Metasys ADS/ADX/OAS Servers versions 10 and 11   See link for general guidance  April 28, 2022  April 28, 2022 
    Log4Shell
    JCI-PSA-2021-23 v24 
    General   General guidance  See link for general guidance December 14, 2021  April 21, 2022 
    Metasys System Configuration Tool (SCT) and System Configuration Tool Pro (SCT Pro)
    JCI-PSA-2022-03 
    Metasys  Vulnerability impacting Metasys System Configuration Tool (SCT) and System Configuration Tool Pro (SCT Pro) all versions prior to 14.2.2   See link for general guidance   April 21, 2022  April 21, 2022  
    Metasys ADS/ADX/OAS Servers
    JCI-PSA-2022-06 
    Metasys  Vulnerability impacting Metasys ADS/ADX/OAS Servers versions 10 and 11  See link for general guidance  April 14, 2022  April 14, 2022
    Metasys ADS/ADX/OAS Servers
    JCI-PSA-2022-02 
    Metasys  Vulnerability impacting Metasys ADS/ADX/OAS versions 10 and 11  See link for general guidance  March 17, 2022  March 17, 2022
    DSC PowerManage
    JCI-PSA-2022-01 v2 
    DSC Vulnerability impacting DSC PowerManage versions 4.0 to 4.8    See link for general guidance   February 3, 2022   March 7, 2022 
  • 2021 Product Security Advisories

    Title/Security Advisory ID Affected Product Overview Mitigation Initial Publication Date Last updated
    Log4Shell
    JCI-PSA-2021-23 v9 
    General  General guidance See link for general guidance December 14, 2021 December 22, 2021
    American Dynamics VideoEdge
    JCI-PSA-2021-21 
    American Dynamics VideoEdge Vulnerability impacting VideoEdge versions 5.4.1 to 5.7.1 See link for mitigation options December 22, 2021 December 22, 2021
    exacqVision Enterprise Manager
    JCI-PSA-2021-24 
    exacqVision Enterprise Manager  Vulnerability impacting all versions of exacqVision Enterprise Manager up to and including version 21.12 See link for mitigation options  December 20, 2021 December 20, 2021
    Kantech EntraPass
    JCI-PSA-2021-22 
    Kantech EntraPass  Vulnerability impacting EntraPass all versions prior to 8.40   See link for mitigation options  December 2, 2021  December 2, 2021 
    CEM Systems AC2000
    JCI-PSA-2021-20 
    CEM Systems AC2000  Vulnerability impacting AC2000 all versions prior to 10.6  See link for mitigation options    November 30, 2021   November 30, 2021  

    American Dynamics VideoEdge
    JCI-PSA-2021-17

    American Dynamics VideoEdge  Vulnerability impacting VideoEdge versions prior to 5.7.1   See link for mitigation options   November 2, 2021   November 2, 2021
    American Dynamics victor Video Management System
    JCI-PSA-2021-19 
    American Dynamics victor Video Management System  Vulnerability impacting victor Video Management System version 5.7 and prior    See link for mitigation options  October 28, 2021   October 28, 2021  
    exacqVision Server
    JCI-PSA-2021-18
    exacqVision Server  Vulnerability impacting exacqVision Server 32-bit version 21.06.11.0 or older   See link for mitigation options  October 7, 2021  October 7, 2021 
    exacqVision Web Service
    JCI-PSA-2021-16
    exacqVision Web Service  Vulnerability impacting exacqVision Web Service version 21.06.11.0 or older  See link for mitigation options October 7, 2021 October 7, 2021
    Kantech KT-1 Door Controller 
    JCI-PSA-2021-14
    Kantech KT-1 Door Controller  Vulnerability impacting all version Kantech KT-1 Controller including 3.01  See link for mitigation options  September 10, 2021  September 10, 2021 
    Tyco Illustra
    JCI-PSA-2021-13 
    Tyco Illustra  Vulnerability impacting specific versions Tyco Illustra See link for mitigation options  August 31, 2021 August 31, 2021
    CEM Systems AC2000
    JCI-PSA-2021-15 
    CEM Systems AC2000 Vulnerability impacting specific versions CEM Systems AC2000  See link for mitigation options August 26, 2021  August 26, 2021 

    Kantech
    KT-1 Door Controller
    JCI-PSA-2021-12

    Kantech
    KT-1 Door Controller

    Vulnerability impacting all versions Kantech KT-1 Door Controller including  2.09.02 and earlier  See link for mitigation options    August 19, 2021  August 19, 2021 
    Software House C•CURE 9000 
    JCI-PSA-2021-10 v2
    Software House C•CURE 9000   Vulnerability impacting all versions of Software House C•CURE 9000 prior to version 2.80  See link for mitigation options   July 01, 2021  August 12, 2021 
    Facility Explorer 
    JCI-PSA-2021-11 
    Facility Explorer   Vulnerability impacting Facility Explorer SNC Series Supervisory Controllers (F4-SNC)  See link for mitigation options  July 01, 2021  July 01, 2021 
    Software House C•CURE 9000
    JCI-PSA-2021-10 
    Software House C•CURE 9000  Vulnerability impacting all versions of Software House C•CURE 9000 prior to version 2.80 See link for mitigation options  July 01, 2021  July 01, 2021 
    exacqVision Web Service
    JCI-PSA-2021-09  
    exacqVision Web Service  Vulnerability impacting all versions of exacqVision Web Service including 21.03 See link for mitigation options  June 24, 2021  June 24, 2021

    exacqVision Enterprise Manager
    JCI-PSA-2021-08 

    exacqVision Enterprise Manager Vulnerability impacting all versions of exacqVision Enterprise Manager including 20.12 See link for mitigation options  June 24, 2021  June 24, 2021 
    Metasys Servers, Engines, and SCT Tools Web Services
    JCI-PSA-2021-05 
    Metasys Servers, Engines, and SCT Tools Web Services  Vulnerability impacting web services for Metasys Servers, Engines, and SCT Tools  See link for mitigation options.  June 04, 2021  June 04, 2021

    American Dynamics VideoEdge
    JCI-PSA-2021-07

    American Dynamics
    VideoEdge
    Vulnerability impacting all versions of VideoEdge prior to 5.7.0 See link for mitigation options. May 27, 2021   May 27, 2021

    American Dynamics Tyco AI
    JCI-PSA-2021-06

    American Dynamics Tyco AI  Vulnerability impacting all versions of Tyco AI up to and including v1.2 See link for mitigation options.   May 13, 2021  May 13, 2021 

    exacqVision Network Video Recorder
    JCI-PSA-2021-04

    exacqVision Network Video Recorder  Vulnerability impacting specific versions of the exacqVision Network Video Recorder See link for mitigation options.  April 29, 2021  April 29, 2021 
    exacqVision Web Service
    JCI-PSA-2021-03
    exacqVision Web Service Vulnerability impacting all versions of exacqVision Web Service See link for mitigation options.   March 18, 2021  March 18, 2021 

    Metasys Report Engine (MRE) Web Services
    JCI-PSA-2021-02

    Metasys Report Engine (MRE) Web Services  Vulnerability impacting specific versions of Metasys Report Engine (MRE) Web Services  See link for mitigation options.  February 18, 2021 February 18, 2021

    Sur-Gard
    JCI-PSA-2021-01 

    Sur-Gard System 5 receivers Vulnerability impacting Sur-Gard System 5 receivers  See link for mitigation options.  January 26, 2021 January 26, 2021

    AD victor Web Client and SWH C•CURE Web Client

    JCI-PSA-2020-9 v2 

    American Dynamics victor Web Client and Software House C•CURE Web Client

    Vulnerability impacting specific versions of American Dynamics victor Web Client and Software House C•CURE Web Client

    See link for mitigation options.

    October 08, 2020

    January 05, 2021

  • 2020 Product Security Advisories

    Title/Security Advisory ID Affected Product Overview Mitigation Initial Publication Date Last updated

    AD victor Web Client and SWH C•CURE Web Client
    JCI-PSA-2020-10 v2

    American Dynamics victor Web Client and Software House  C•CURE Web Client Vulnerability impacting specific versions of American Dynamics victor Web Client and Software House  C•CURE Web Client See link for mitigation options. November 19, 2020  November 24, 2020
    victor Web Client
    JCI-PSA-2020-09
    victor Web Client  Vulnerability impacting versions of victor Web Client   Upgrade all versions of victor Web Client to v5.6.  October 8, 2020  October 8, 2020 
    Sur-Gard
    JCI-PSA-2020-08 
    Sur-Gard System 5 receivers  Vulnerability impacting Sur-Gard System 5 receivers  See link for mitigation options. August 20,2020  August 20, 2020 
    exacqVision
    JCI-PSA-2020-07 v2 
    exacqVision Web Service and exacqVision Enterprise Manager Vulnerability impacting exacqVision Web Service and exacqVision Enterprise Manager  All users should upgrade exacqVision Web Service to version 20.06.4 or higher and exacqVision Enterprise Manager to version 20.06.5 or higher.   June 18, 2020  July 2, 2020
    C•CURE 9000/victor
    JCI-PSA-2020-4 v4 
    Software House C•CURE 9000 and American Dynamics victor Video Management System  Vulnerability impacting Software House C•CURE 9000 and American Dynamics victor Video Management System software installer.  See link for mitigation options.  May 21, 2020   June 2, 2020  

    Kantech EntraPass
    JCI-PSA-2020-6 v1

    All versions of Kantech EntraPass editions up to and including v8.22

    Vulnerability impacting system permissions for all versions of Tyco Kantech EntraPass Security Management  Software Editions. All users should upgrade Kantech EntraPass Editions to version 8.23.  May 26, 2020  May 26,2020 
    BCPro
    JCI-PSA-2020-5 v1
    BCPro  Vulnerability impacting the BCPro and BCT software.   A patch has been developed to address this issue.  April 23, 2020  April 23, 2020
    Metasys XXE
    JCI-PSA-2020-3 v1 
    Metasys Server  Vulnerability impacting the Metasys Server software products and some network engines.  A patch has been developed to address this issue.  March 10, 2020  March 10, 2020 
    SmartService API
    JCI-PSA-2020-2 v1
    Kantech EntraPass Vulnerability impacting the SmartService API Service option in some editions of Kantech EntraPass. Upgrade impacted Kantech EntraPass Global and Corporate edition software to version 8.10. March 10, 2020 March 10, 2020
    Elasticsearch Kibana 
    JCI-PSA-2020-1 v1
    Metasys Server 10.0 using Kibana version 6.2.3 Vulnerabilities impacting Elasticsearch/Kibana  visualizer component. Remove the Windows component called Kibana-6.2.3 from computers running Metasys Server (Release 10.0).  January 31, 2020 January 31, 2020
  • 2019 Product Security Advisories

    Title/Security Advisory ID Affected Product Overview Mitigation Initial Publication Date Last updated
    Flexera FlexNet Publisher - 
    JCI-PSA-2019-12 v1
    Software House C•CURE v2.70 and earlier running FlexNet Publisher version 11.16.1.0 and earlier Vulnerabilities impacting the Flexera FlexNet Publisher licensing
    manager
    Install C•CURE 9000 v2.70 Service Pack 3 Critical Update 05 (Unified 3.70 SP3 CU05) or upgrade to C•CURE 9000 v2.80  December 3, 2019 December 3, 2019
    PC Annunciator - 
    JCI-PSA-2019-11 v1
    TrueAlarm Fire Alarm
    System, 4190 PC Annunciator 
    Remote Desktop Services Remote Code Execution Vulnerability (a.k.a. “BlueKeep”) Apply all applicable Microsoft security updates November 21, 2019 November 21, 2019
    Facility Explorer -
    JCI-PSA-2019-10 v1
    Facility Explorer-
    FX 14.7.2, FX 14.4, FX 6.5
    Vulnerabilities exist in the QNX operating system used in
    Facility Explorer
    Apply available QNX patch or update October 30, 2019 October 30, 2019
    Metasys ICS-CERT Advisory ICSA-19-227-01

    JCI-PSA-2019-06 v1
    CVE-2019-7593
    CVE-2019-7594
    Metasys® ADS/ADX servers and NAE/NIE/NCE engines impacting versions prior to 9.0.  An attacker with access to the shared RSA key pair or a hardcoded RC2 key could potentially decrypt captured network traffic between the Metasys® ADS/ADX servers or NAE/NIE/NCE engines and the connecting Site Management Portal (SMP) user client These issues were addressed in version 9.0 of these Metasys® components. We recommend upgrading all Metasys® ADS/ADX servers and NAE/NIE/NCE engines to at least version 9.0 to assure all enhancements in this latest release are active. Sites should also be configured with trusted certificates August 15, 2019

    August 15, 2019

     

    Bluetooth “KNOB” attack or BR/EDR Key Negotiation Vulnerability

    CVE-2019-9506 
    JCI-PSA-2019-08 v1

    Find out more about from NIST National Vulnerability Database (NVD) and MITRE CVE® List.  

    Security advisories for affected products will be appended to this web page as they are made available.

    The PSA IDs for each product specific advisory has common root followed by “.x” where x is the instance number (JCI-PSA-2019-08.x).

    A researcher has identified a vulnerability that affects Bluetooth devices that employ Bluetooth BR/EDR Bluetooth Core specification versions 1.0 through 5.1 Refer to respective Product Security Advisories (when released) August 13, 2019 August 13, 2019
    JCI-PSA-2019-03

    Please visit the ICS-CERT advisory linked below for complete information and additional resources.

    ICS-CERT-19-199-01

    exacqVision Server 9.6 and 9.8 application running on Windows operating system (all supported versions of Windows).  On March 28, 2019, Tyco security solutions published a product security advisory for exacqVision Server Application Please reference the linked Johnson Controls advisory below to find mitigation steps: Click Here March 28, 2019 July 18, 2019
    TrueInsight Module Vulnerability 
    JCI-PSA-2019-05

    TrueInsight modules used to connect the Simplex® 4007ES, 4010ES, 4100ES, and 4100U Fire Alarm Control Panels

     

    This vulnerability impacts all TrueInsight modules. If properly exploited, this vulnerability could result in unauthorized access to the fire system. Unfortunately, there is no patch available to fix the vulnerability

     

    Please reference the linked Johnson Controls advisory below to find mitigation steps: Click Here

     
     
    July 8, 2019

    July 8, 2019

    Microsoft® Remote Desktop Services Remote Code Execution Vulnerability (a.k.a. “BlueKeep”)

    Microsoft® Remote Desktop Services Remote Code Execution Vulnerability (a.k.a. “BlueKeep”).

    Vulnerable in-support systems include Windows 7 operating system, Windows Server® 2008 R2, and Windows Server 2008 systems.

    Out-of-support but affected operating systems include Windows Server 2003 and Windows XP® operating systems

    Microsoft discovered a vulnerability in its Remote Desktop service that is included in most versions of a wide variety of its operating systems. Although this vulnerability is not associated with any specific Johnson Controls application, it does impact the computer environments that can host those applications

    Microsoft has released a product update that patches this security issue.

    Please reference the linked advisory below to find mitigation steps: Click Here

     
    May 22, 2019

    May 22, 2019

    ICS-CERT Advisory ICSA-19-163-01

     

    Please visit the ICS-CERT advisory linked above for complete information and additional resources.

    exacqVision (ESM) v5.12.2 and all prior versions of ESM running on a Windows operating system.

    This issue does not impact Linux deployments with permissions that are not inherited from the root directory

    On February 15, 2019, Tyco security solutions published a product security advisory for exacqVision Enterprise System Manager (ESM)

    Please reference the linked Tyco advisory below to find mitigation steps: Click Here

     
    February 15, 2019

    March 28, 2019

  • 2018 Product Security Advisories

    Title/Security Advisory ID Affected Product Overview Mitigation Initial Publication Date Last updated

    CPP-PSA-20180-02 v1

     

    Facility Explorer™ Path Traversal and Improper Authentication Vulnerabilities

    ICS CERT Notice ICSA-19-022-01

    CVE-2017-16744

    CVE-2017-16748

    Please visit the ICS CERT notice linked above for complete information and additional resources.

    Facility Explorer 6.x (Niagara AX Framework™) systems, prior to 6.6

    Facility Explorer 14.x (Niagara 4) systems, prior to 14.4u1

    Facility Explorer Software Release 6.6 and 14.4u1 includes several fixes and important vulnerability mitigations for cybersecurity protection.

    Customers should upgrade to the latest available product versions.

    Johnson Controls recommends taking steps to minimize risks to all building automation systems.

    The Department of Homeland Security’s ICS-CERT also provides a section for Control Systems Security Recommended Practices.

    January 11, 2018 

    September 4, 2018 

     ICSA-14-350-02

     

    Metasys® Building Automation System (BAS) Information Disclosure Vulnerability

    ICS Cert Notice ICSA-18-212-02

    CVE-2018-10624

    Please visit the ICS CERT notice linked above for complete information and additional resources.

    Metasys system versions 8.0 and prior. 

    BCM (now BC Pro) all versions prior to 3.0.2

    A previous version of the Metasys BAS could potentially reveal technical information when an authentication error occurs in the BAS server.

     Customers should upgrade to the latest product versions. Contact your Johnson Controls Sales or Service representative for details.


    Johnson Controls recommends taking steps to minimize risks to all BASs.

    Please reference our
    Metasys Security Page.

    The Department of Homeland Security’s ICS-CERT also provides a section for Control Systems Security Recommended Practices.

    March 17, 2015

    August 27, 2018

    Pub # GPS-PSA-2018-02

    "Meltdown" and "Spectre" Vulnerabilities CERT Vulnerability Note VU#584653

    Johnson Controls Product Security Incident Response Team (PSIRT) is assessing potential impact to Johnson Controls products. Find Updates Here.

    Researchers recently disclosed new security vulnerabilities that impact aspects of many modern processors and that could be exploited to allow an attacker to obtain access to sensitive data. These vulnerabilities allow for side-channel attacks to read data from memory. These vulnerabilities can affect personal computers, mobile devices, and the cloud. Although there are currently no known workarounds, below are some suggested actions that customers can take in the short term to reduce their risks:

    Check this site regularly for updated information.

    As always, prior to deploying software patches or updates, test such patches or updates on non-production systems and follow all vendor instructions and warnings to ensure such patches or updates do not impair system functionality.

    Although not specific to this vulnerability, always implement proper building system and corporate network segmentation and boundary security and access controls.

    January 10, 2018 

    January 26, 2018 

  • 2017 Product Security Advisories

    Title/Security Advisory ID Affected Product Overview Mitigation Initial Publication Date Last updated

    “KRACK” Wi-Fi Vulnerability Attacks: CERT Vulnerability Note VU#228519

    Johnson Controls Product Security Incident Response Team (PSIRT) is assessing potential impact to Johnson Controls products.  Update to follow.

    A significant weakness in a commonly used Wi-Fi security protocol was announced recently which could put the confidentiality of data transferred through wireless at risk.  The attack, dubbed “KRACK” affects a newly discovered weakness in the WPA2 protocol which is commonly to secure Wi-Fi networks.

    An attacker within range of a victim can potentially exploit these weaknesses to access some types of information transmitted between wireless clients and wireless network access points, thereby reducing the confidentiality and integrity of the data being transmitted.

    October 16, 2017

    November 16, 2017

    US CERT Alert TA17-132A017-0143
     “Indicators Associated with WannaCry Ransomware”

    All Metasys® software releases running on affected OS’,  All NxE55 series, all NxE85 series and LCS8520

    IT systems worldwide have been affected by a prolific Ransomware attack which leverages a Microsoft SMB protocol vulnerability which may affect some Metasys system components.

    Apply Microsoft patch for MS17-010 for host operating systems. Contact your JCI Field Representative for remediation details for specific Metasys products.

    May 12, 2017

    June 7, 2018

  • 2015 Product Security Advisories

    Title/Security Advisory ID Affected Product Overview Mitigation Initial Publication Date Last updated

    ICSA-14-350-02

    Metasys® releases 4.1 to 6.5: ADS, ADX, LCS8520, NAE, NIE, NxE8500

    Independent security researcher Billy Rios identified two vulnerabilities in Johnson Controls Metasys® building automation system.

    Johnson Controls has produced patches for each affected release that mitigate these vulnerabilities. Contact your Johnson Controls representative for more information.

    March 17, 2015

    August 27, 2018

    US CERT Alert TA17-132A017-0143
     “Indicators Associated with WannaCry Ransomware”

    All Metasys® software releases running on affected OS’,  All NxE55 series, all NxE85 series and LCS8520

    IT systems worldwide have been affected by a prolific Ransomware attack which leverages a Microsoft SMB protocol vulnerability which may affect some Metasys system components.

    Apply Microsoft patch for MS17-010 for host operating systems. Contact your JCI Field Representative for remediation details for specific Metasys products

    May 12, 2017

    June 7, 2018

  • 2014 Product Security Advisories

    Title/Security Advisory ID Affected Product Overview Mitigation Initial Publication Date Last updated

    CVE-2014-0160"Heartbleed"

    None

    A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data.

    No mitigation required

    August 8, 2014

    August 25, 2015

    CVE-2014-6271"Shellshock"

    None

    A flaw in the GNU Bourne-Again Shell (Bash) could allow an attacker to remotely execute shell commands.

    No mitigation required

    September 25, 2014

    August 25, 2015

    CVE-2014-3566
    US-CERT Alert TA-14290A

    Metasys® Release 6.5, 7.0, 8.0: Application and Data Server (ADS), Extended Application and Data Server (ADX), ADS-Lite, Open Data Server (ODS), Metasys® Advanced Reporting System, Metasys® Export Utility, Ready Access Portal, and Metasys® User Interface (UI) Release 1.5, 1.5.1, and 2.0

    Commonly referred to as Padding Oracle on Downgraded Legacy Encryption (POODLE), this vulnerability may allow an attacker to decrypt cipher
    text using a padding oracle side channel attack. The attack leverages the ability for the communication to be downgraded to SSL V3, an older and less secure version of SSL which is vulnerable to attack.

    This does not involve any patches or updates to our products, simply a reminder to address this at the Microsoft operating system level. 
    Disable SSLv3 on the server and standalone computers hosting the affected Metasys software

    October 17, 2014

    September 30,2016

Man wearing_ headphones smiling at a laptop

Want to sign up to receive product security advisory notifications by email?

Register to be Added to our Communications List

Related Items

Products and Solutions
As part of OpenBlue Secure, we tailor Cybersecurity to your precise needs — helping you protect your smart building’s systems and data from the threat of cyberattack.
Response
A strong offense is just as important as a strong defense. As we proactively monitor the dynamic threat landscape and address risks, we’re ready for rapid response to security incidents.
Resources
We continuously enhance our products and security guidelines — and partner with you in managing cybersecurity risk by sharing valuable information and best practices.
Practices
Our holistic, structured approach uses cyber-resilient products and services to maintain a robust security posture, information security, product security, and privacy for your smart building.

How can we help you?

For everything from asking a question to raising an alarm, please use this form for a quick response from our Johnson Controls cybersecurity organization.

Report a potential vulnerability or cybersecurity concern | Ask about Products and Services | Learn about protecting your smart building

If you are aware of a potential security vulnerability in a Johnson Controls product, service or solution, or have a product security question, please contact us at productsecurity@jci.com.

Please use a downloadable PGP key to secure communications.


Download PGP Key


When submitting a concern, please include the following information:

  • Complete product name and version
  • Description of the concern or the potential vulnerability and the steps necessary for our staff to reproduce
  • A brief description of the potential impact
  • A reliable method to contact you
  • Supporting documentation, if available

Thanks to all who partner with us to create a smarter, safer, more sustainable world.


Please read our Privacy Notice for information on how we protect and manage your personal data. By completing this form and submitting your information, you confirm that you have reviewed, understood and accepted our privacy terms as well as our cookie terms.

Disclaimer: The cybersecurity information presented on this website is intended to be informational only and is provided on an "as is" basis. Johnson Controls makes no representation or warranty (express or implied) that compliance with any of these practices, or the taking of any the actions, identified herein will ensure the security of any product or system, or prevent any unauthorized access or damage caused by a cyber incident. Johnson Controls disclaims all liability for any damages that may occur despite compliance with any of these practices, or the taking of any the actions, identified herein.