CVE-2024-45526 Information

From OPC Labs Knowledge Base
Revision as of 18:14, 26 October 2024 by User (talk | contribs) (→‎Actions)

About the vulnerability

The vulnerability allows an unauthorized attacker to trigger a gradual degradation in performance.

Assessment

The vulnerability affects OPC UA operations in all existing QuickOPC and Excel Connector versions, i.e. up to version 2024.1 (internal version number 5.80), any build or revision, through referencing the OPCFoundation/UA-.NETStandard library versions which contain the vulnerability.

Actions

The workaround is to prevent saving the rejected certificates after authentication failure, e.g. by removing permissions to the corresponding folder of the directory certificate store, or by setting the RejectedStorePath property in the application manifest to an empty string.

The vulnerability will be addressed in QuickOPC, Excel Connector and OPC Wizard version 2024.2 (internal, version number 5.81) and higher, by referencing version 1.5.374.118 or later of the OPCFoundation/UA-.NETStandard library. The expected release date is November is 2024.