|
Release Date:
10 July 2019.
Overview:
Data for entities with a large number of alarms and sensors will be unavailable via the API. This affects endpoints returning entity metadata and event data of all types, and can therefore impede investigation of an entity.
Affected Products:
The following products or components have been identified as affected by this vulnerability:
- Jazz Infrastructure: versions up to and including 5.0.2.
- Jazz Cloud: before 8 July 2019.
Unaffected Products:
The following products or components are unaffected:
- Jazz Infrastructure: versions since 5.0.3.
- Jazz Agent: all versions.
- Jazz Cloud: since 8 July 2019.
Resolution:
This issue has been fixed in Jazz Infrastructure version 5.0.3.
It is strongly recommended that all On-Premises installations running an affected version upgrade to the latest release as soon as possible. Releases are available to download through the Jazz Networks support portal.
A mitigation was deployed to the Jazz Cloud on 8 July 2019. Jazz Cloud customers do not need to take any additional action.
Vulnerability Information:
API endpoints that return alarm data will return an HTTP 429 error if the alarms contain a large number of sensors. An attacker with access to a machine running the Jazz Agent is able to trigger an arbitrary number of sensors and can therefore deny access to data.
Affected endpoints are: api/v1/alarms/log/riskquery, api/v1/nodes/<id>, api/v1/user/<id>
Acknowledgments:
Issue found internally by Jazz Networks.
Disclosure Timeline:
- 26/06/2019 Issue found internally by Jazz Networks.
- 27/06/2019 Root cause established.
- 27/06/2019 Fix identified.
- 08/07/2019 Patched Jazz Cloud released.
- 09/07/2019 Patched Jazz Infrastructure released.
- 10/07/2019 Vulnerability publicly disclosed.
|
