CVE-2024-45526 Information: Difference between revisions
No edit summary |
|||
| (4 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[[Category:Security Bulletins]] | [[Category:Security Bulletins]] | ||
= About the vulnerability = | = About the vulnerability = | ||
The vulnerability allows an unauthorized attacker to trigger a gradual degradation in performance. | |||
= Assessment = | = Assessment = | ||
The vulnerability affects OPC UA operations in all existing QuickOPC and Excel Connector versions, i.e. up to version 2024.1 (internal version number 5.80), any build or revision, through referencing the OPCFoundation/UA-.NETStandard library versions which contain the vulnerability. | |||
= Actions = | = Actions = | ||
The workaround is to prevent saving the rejected certificates after authentication failure, e.g. by removing permissions to the corresponding folder of the directory certificate store, or by setting the RejectedStorePath property in the application manifest to an empty string. | |||
The vulnerability is addressed in OPC Studio (QuickOPC, Excel Connector and OPC Wizard) version 2024.2 (internal version number 5.81) and higher, by referencing version 1.5.374.118 or later of the OPCFoundation/UA-.NETStandard library. OPC Studio 2024.2 has been released on November 11, 2024. | |||
Latest revision as of 06:42, 4 December 2024
About the vulnerability
The vulnerability allows an unauthorized attacker to trigger a gradual degradation in performance.
Assessment
The vulnerability affects OPC UA operations in all existing QuickOPC and Excel Connector versions, i.e. up to version 2024.1 (internal version number 5.80), any build or revision, through referencing the OPCFoundation/UA-.NETStandard library versions which contain the vulnerability.
Actions
The workaround is to prevent saving the rejected certificates after authentication failure, e.g. by removing permissions to the corresponding folder of the directory certificate store, or by setting the RejectedStorePath property in the application manifest to an empty string.
The vulnerability is addressed in OPC Studio (QuickOPC, Excel Connector and OPC Wizard) version 2024.2 (internal version number 5.81) and higher, by referencing version 1.5.374.118 or later of the OPCFoundation/UA-.NETStandard library. OPC Studio 2024.2 has been released on November 11, 2024.
