Rockwell Automation reports multiple flaws vulnerabilities in DataMosaix Private Cloud
Take action: If you are using DataMosaix Private Cloud, make sure it's isolated and only accessible from secure networks. Then patch it ASAP - it has some very serious flaws.
Learn More
Rockwell Automation has identified multiple security vulnerabilities affecting its DataMosaix Private Cloud product, which could result in severe impacts such as denial of service, unauthorized access to user data, or remote code execution.
FactoryTalk DataMosaix Private Cloud by Rockwell Automation is an Industrial DataOps platform designed to streamline the extraction, contextualization, and usability of industrial data across an organization.
-
CVE-2019-9893 (CVSS score 9.8) – Reliance on Insufficiently Trustworthy Component - A flaw in the libseccomp library allows attackers to bypass security filters, potentially leading to privilege escalation and remote code execution.
-
CVE-2019-17543 (CVSS score 9.3) – Out-of-bounds Write - A buffer overflow in the LZ4 compression library could lead to data corruption or allow remote code execution.
-
CVE-2019-18276 (CVSS score 9.3) – Improper Check for Dropped Privileges - A vulnerability in GNU Bash could allow an attacker to elevate privileges and execute commands remotely.
-
CVE-2019-19244 (CVSS score 8.7) – Reliance on Insufficiently Trustworthy Component - A vulnerability in SQLite could crash the system, leading to denial of service, requiring a system restart.
-
CVE-2019-9923 (CVSS score 8.7) – NULL Pointer Dereference - A vulnerability in GNU Tar could lead to denial of service through a NULL pointer dereference.
-
CVE-2019-14855 (CVSS score 8.5) – Inadequate Encryption Strength - A vulnerability in GnuPG related to the SHA-1 algorithm allows threat actors to forge certificate signatures, potentially exposing user data.
These vulnerabilities affect DataMosaix Private Cloud versions 7.07 and prior.
The successful exploitation of these vulnerabilities could allow attackers to:
- Access sensitive user data.
- Cause system crashes, leading to denial of service.
- Execute arbitrary code remotely, potentially gaining full control over affected systems.
Rockwell Automation has addressed these vulnerabilities in version 7.09 of DataMosaix Private Cloud and recommends users update to this or a later version.
