Schneider Electric has new software to mitigate multiple vulnerabilities in the Java Runtime Environment running on its Trio TView, according to a report with ICS-CERT.
Trio TView Software, TBUMPROG-TVIEW, Version 3.27.0 and prior suffer from the issues, discovered by Karn Ganeshen.
Exploitation of these remotely exploitable vulnerabilities may allow a remote attacker to compromise the Trio TView Management Suite.
Public exploits are available. The product sees use in the energy sector on a global basis. An attacker with low skill level would be able to leverage the vulnerabilities.
A Java Runtime Environment is provided with TView. The Java Runtime Environment 1.6.0u27 is reported to have multiple vulnerabilities which may impact TView Version 3.27.0 and earlier.
The breakdown of the vulnerabilities by CVSS score is as follows:
• 180 vulnerabilities have a CVSS base score of 7.0-10
• 161 vulnerabilities have a CVSS base score of 4.0-6.9
• 24 vulnerabilities have a CVSS base score of 0.0-3.9
For more information on these vulnerabilities, see Schneider Electric Security Notification SEVD-2017-199-01.
The Java Runtime Environment 1.8.0u131 is provided with TView Version 3.29.0 and is not affected by these vulnerabilities.
Schneider Electric recommends users obtain the software with the fix for these vulnerabilities.